CVE-2026-34759
Unauthenticated API Access in OneUptime Enables Twilio Account Abuse
Publication date: 2026-04-02
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hackerbay | oneuptime | to 10.0.42 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34759 is a critical vulnerability in the OneUptime open-source monitoring platform affecting versions prior to 10.0.42. Multiple notification API endpoints related to phone number management are exposed without authentication, unlike other similar endpoints that require authorization. These endpoints are accessible externally via an Nginx proxy at /notification/.
An attacker can exploit this by first obtaining a leaked projectId from the public Status Page API, which is unauthenticated and exposes this identifier. Using this projectId, the attacker can purchase phone numbers on the victim's Twilio account without authorization, incurring financial costs. The attacker can also list and delete all existing alerting phone numbers, disrupting alerting services.
Additional unauthenticated endpoints allow reading SMTP configurations (including credentials) and sending emails, as well as sending WhatsApp messages from the organizationβs Business account without authorization. The root cause is missing authorization checks on these critical API routes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access and manipulate sensitive notification API endpoints, leading to financial abuse, service disruption, and exposure of credentials such as SMTP configuration details. This unauthorized access and potential data exposure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to personal data and system integrity.
Specifically, the exposure of SMTP credentials and the ability to send unauthorized messages or disrupt alerting services may violate data protection and security requirements mandated by these regulations.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including financial abuse, service disruption, and credential exposure.
- Financial abuse by allowing an attacker to purchase unlimited phone numbers on your Twilio account, incurring potentially large costs.
- Service disruption by enabling an attacker to delete all existing alerting phone numbers, which halts call-based incident alerts and monitoring notifications.
- Exposure of SMTP credentials for any project, allowing unauthorized access to email configurations and the ability to send emails through your infrastructure.
- Abuse of the WhatsApp Business account to send unauthorized messages to arbitrary phone numbers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthenticated access to specific notification API endpoints exposed by OneUptime prior to version 10.0.42. These endpoints are accessible externally via the Nginx proxy at /notification/ without authentication middleware.
To detect exploitation attempts or presence of this vulnerability, you can monitor network traffic or use commands to test access to the following endpoints without authentication:
- POST /notification/phone-number/purchase - attempts to purchase phone numbers.
- POST /notification/phone-number/list-owned - attempts to list owned phone numbers.
- DELETE /notification/phone-number/release/<id> - attempts to delete owned phone numbers.
Suggested commands to test these endpoints (replace <projectId> and <id> accordingly):
- curl -X POST 'http://<your-server>/notification/phone-number/purchase' -d '{"projectId":"<projectId>", ...}'
- curl -X POST 'http://<your-server>/notification/phone-number/list-owned' -d '{"projectId":"<projectId>"}'
- curl -X DELETE 'http://<your-server>/notification/phone-number/release/<id>'
Additionally, check if the projectId can be retrieved from the public Status Page API, which leaks this identifier and enables exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade OneUptime to version 10.0.42 or later, where this vulnerability has been patched.
- If upgrading is not immediately possible, restrict external access to the /notification/ endpoints via firewall or Nginx configuration to prevent unauthenticated access.
- Remove or filter out the projectId from the public Status Page API responses to prevent attackers from obtaining it.
- Add authentication middleware (ClusterKeyAuthorization.isAuthorizedServiceMiddleware) to all notification API endpoints to enforce authorization.
- Monitor your Twilio account for unauthorized phone number purchases and alerting disruptions.