CVE-2026-33142
Received Received - Intake
SQL Injection in OneUptime StatementGenerator Enables Arbitrary Queries

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns. ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted sort, select, or groupBy keys. This issue has been patched in version 10.0.34.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33142
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.34 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33142 is a high-severity SQL injection vulnerability in OneUptime's use of ClickHouse for analytics queries. The vulnerability occurs because certain methods in the StatementGenerator classβ€”specifically toSortStatement, toSelectStatement, and toGroupByStatementβ€”accept user-controlled keys from API requests and insert them directly into SQL queries as ClickHouse Identifier parameters without validating that these keys correspond to actual database columns."}, {'type': 'paragraph', 'content': 'Since ClickHouse Identifier parameters are substituted directly into queries without escaping or quoting, an attacker who can access any analytics list or aggregate endpoint can craft malicious sort, select, or groupBy keys to inject arbitrary SQL commands. This can lead to unauthorized access or manipulation of analytics data.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 10.0.34 by adding validation to these methods to ensure that only valid column names are accepted, preventing SQL injection.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing an attacker with authenticated access to analytics endpoints to inject arbitrary SQL commands into the ClickHouse database queries.

The potential impacts include unauthorized reading, modification, or deletion of analytics data stored in ClickHouse, compromising the confidentiality and integrity of that data.

The vulnerability has a high severity score (CVSS v3.1 base score of 8.1) and requires low attack complexity and privileges, making it a significant risk if exploited.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API requests to analytics list or aggregate endpoints that include the parameters `sort`, `select`, or `groupBy`. Look for unusual or suspicious values in these parameters that do not correspond to valid model columns, as these may indicate attempts to inject SQL.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves SQL injection via unvalidated column identifiers, detection can involve inspecting logs or network traffic for requests containing unexpected or malformed column names in these parameters.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but example approaches include:'}, {'type': 'list_item', 'content': 'Using network traffic capture tools like tcpdump or Wireshark to filter HTTP requests to the analytics endpoints and inspect the `sort`, `select`, and `groupBy` parameters.'}, {'type': 'list_item', 'content': "Using grep or similar tools on server logs to search for suspicious parameter values, e.g., `grep -E 'sort=|select=|groupBy=' /path/to/logs`."}, {'type': 'list_item', 'content': 'If you have access to the application database or logs, query for analytics requests with unexpected column names or patterns that do not match known model columns.'}] [1]

Mitigation Strategies

The immediate and recommended mitigation is to upgrade OneUptime to version 10.0.34 or later, where the vulnerability has been fixed by adding proper validation of column names in the `toSortStatement`, `toSelectStatement`, and `toGroupByStatement` methods.

If upgrading immediately is not possible, consider implementing strict input validation or filtering on the `sort`, `select`, and `groupBy` parameters at the API gateway or application layer to ensure only valid column names are accepted.

Additionally, restrict access to analytics endpoints to trusted and authenticated users only, as the attack requires authenticated access.

Monitor logs and network traffic for suspicious activity targeting these parameters and respond accordingly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33142. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart