CVE-2026-34758
Received Received - Intake
Unauthorized Access in OneUptime Enables Notification Abuse

Publication date: 2026-04-02

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34758
EUVD
EUVD-2026-18511
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.40 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to abuse SMS, call, email, and WhatsApp messaging functionalities and purchase phone numbers using the victim organization's credentials. This leads to unauthorized access and potential misuse of sensitive communication channels and credentials.

Such unauthorized access and abuse can result in breaches of confidentiality and integrity, which are critical aspects of compliance with standards like GDPR and HIPAA that require protection of personal and sensitive data.

Additionally, the financial impact and unauthorized manipulation of resources may violate regulatory requirements for secure access controls and auditing.

Executive Summary

CVE-2026-34758 is a critical security vulnerability in the OneUptime monitoring platform prior to version 10.0.42. It occurs because several notification-related API endpoints lack proper authentication, allowing unauthenticated attackers to access and abuse SMS, call, email, and WhatsApp messaging functionalities.

Specifically, attackers can send messages and make calls using the victim organization's Twilio, SMTP, and WhatsApp credentials without any authentication. They can also purchase phone numbers via the victim's Twilio account, potentially causing financial loss. This happens because the affected endpoints do not enforce user authentication middleware, exposing sensitive credentials and allowing unauthorized actions.

The vulnerability was patched in version 10.0.42 by adding user authentication middleware to all affected notification API routes, ensuring only authenticated users can access these critical functions.

Impact Analysis

This vulnerability can have severe impacts including unauthorized use and abuse of your messaging and telephony services.

  • Attackers can send SMS, calls, WhatsApp messages, and emails using your organization's Twilio, SMTP, and WhatsApp credentials without permission.
  • Unauthorized purchase of phone numbers through your Twilio account can lead to unexpected financial charges.
  • Sensitive credentials such as Twilio AccountSID, AuthToken, SMTP usernames and passwords can be exposed, leading to further compromise.
  • Attackers can manipulate phone number assignments and other notification settings, potentially disrupting your communication infrastructure.
Detection Guidance

This vulnerability can be detected by testing whether the notification-related API endpoints allow unauthenticated access. Specifically, you can attempt to send requests to the vulnerable endpoints without authentication and observe if the requests succeed.

  • Test WhatsApp message sending without authentication: curl -X POST https://TARGET/notification/whatsapp/test -H "Content-Type: application/json" -d '{"toPhone": "+1234567890"}'
  • Test SMS sending without authentication (requires a valid callSMSConfigId UUID): curl -X POST https://TARGET/notification/sms/test -H "Content-Type: application/json" -d '{"callSMSConfigId": "<UUID>", "toPhone": "+1234567890"}'
  • Test email sending without authentication (requires valid smtpConfigId UUID): curl -X POST https://TARGET/notification/smtp-config/test -H "Content-Type: application/json" -d '{"projectId": "<UUID>", "incomingCallPolicyId": "<UUID>", "phoneNumber": "+1234567890"}'
  • Test phone number purchase or management endpoints without authentication by sending POST requests to endpoints like /notification/phone-number/purchase and others.
Mitigation Strategies

The immediate mitigation step is to upgrade OneUptime to version 10.0.42 or later, where authentication middleware has been added to all affected notification-related API endpoints.

If upgrading immediately is not possible, restrict public access to the /notification API routes at the network or proxy level to prevent unauthenticated access.

Ensure that authentication middleware such as UserMiddleware or ClusterKeyAuthorization.isAuthorizedServiceMiddleware is applied to all notification test and phone number management endpoints to enforce user authentication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34758. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart