CVE-2026-34758
Unauthorized Access in OneUptime Enables Notification Abuse
Publication date: 2026-04-02
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hackerbay | oneuptime | to 10.0.40 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34758 is a critical security vulnerability in the OneUptime monitoring platform prior to version 10.0.42. It occurs because several notification-related API endpoints lack proper authentication, allowing unauthenticated attackers to access and abuse SMS, call, email, and WhatsApp messaging functionalities.
Specifically, attackers can send messages and make calls using the victim organization's Twilio, SMTP, and WhatsApp credentials without any authentication. They can also purchase phone numbers via the victim's Twilio account, potentially causing financial loss. This happens because the affected endpoints do not enforce user authentication middleware, exposing sensitive credentials and allowing unauthorized actions.
The vulnerability was patched in version 10.0.42 by adding user authentication middleware to all affected notification API routes, ensuring only authenticated users can access these critical functions.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized use and abuse of your messaging and telephony services.
- Attackers can send SMS, calls, WhatsApp messages, and emails using your organization's Twilio, SMTP, and WhatsApp credentials without permission.
- Unauthorized purchase of phone numbers through your Twilio account can lead to unexpected financial charges.
- Sensitive credentials such as Twilio AccountSID, AuthToken, SMTP usernames and passwords can be exposed, leading to further compromise.
- Attackers can manipulate phone number assignments and other notification settings, potentially disrupting your communication infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether the notification-related API endpoints allow unauthenticated access. Specifically, you can attempt to send requests to the vulnerable endpoints without authentication and observe if the requests succeed.
- Test WhatsApp message sending without authentication: curl -X POST https://TARGET/notification/whatsapp/test -H "Content-Type: application/json" -d '{"toPhone": "+1234567890"}'
- Test SMS sending without authentication (requires a valid callSMSConfigId UUID): curl -X POST https://TARGET/notification/sms/test -H "Content-Type: application/json" -d '{"callSMSConfigId": "<UUID>", "toPhone": "+1234567890"}'
- Test email sending without authentication (requires valid smtpConfigId UUID): curl -X POST https://TARGET/notification/smtp-config/test -H "Content-Type: application/json" -d '{"projectId": "<UUID>", "incomingCallPolicyId": "<UUID>", "phoneNumber": "+1234567890"}'
- Test phone number purchase or management endpoints without authentication by sending POST requests to endpoints like /notification/phone-number/purchase and others.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OneUptime to version 10.0.42 or later, where authentication middleware has been added to all affected notification-related API endpoints.
If upgrading immediately is not possible, restrict public access to the /notification API routes at the network or proxy level to prevent unauthenticated access.
Ensure that authentication middleware such as UserMiddleware or ClusterKeyAuthorization.isAuthorizedServiceMiddleware is applied to all notification test and phone number management endpoints to enforce user authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to abuse SMS, call, email, and WhatsApp messaging functionalities and purchase phone numbers using the victim organization's credentials. This leads to unauthorized access and potential misuse of sensitive communication channels and credentials.
Such unauthorized access and abuse can result in breaches of confidentiality and integrity, which are critical aspects of compliance with standards like GDPR and HIPAA that require protection of personal and sensitive data.
Additionally, the financial impact and unauthorized manipulation of resources may violate regulatory requirements for secure access controls and auditing.