CVE-2026-34759
Received Received - Intake
Unauthenticated API Access in OneUptime Enables Twilio Account Abuse

Publication date: 2026-04-02

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34759
EUVD
EUVD-2026-18513
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.42 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34759 is a critical vulnerability in the OneUptime open-source monitoring platform affecting versions prior to 10.0.42. Multiple notification API endpoints related to phone number management are exposed without authentication, unlike other similar endpoints that require authorization. These endpoints are accessible externally via an Nginx proxy at /notification/.

An attacker can exploit this by first obtaining a leaked projectId from the public Status Page API, which is unauthenticated and exposes this identifier. Using this projectId, the attacker can purchase phone numbers on the victim's Twilio account without authorization, incurring financial costs. The attacker can also list and delete all existing alerting phone numbers, disrupting alerting services.

Additional unauthenticated endpoints allow reading SMTP configurations (including credentials) and sending emails, as well as sending WhatsApp messages from the organization’s Business account without authorization. The root cause is missing authorization checks on these critical API routes.

Impact Analysis

This vulnerability can have severe impacts including financial abuse, service disruption, and credential exposure.

  • Financial abuse by allowing an attacker to purchase unlimited phone numbers on your Twilio account, incurring potentially large costs.
  • Service disruption by enabling an attacker to delete all existing alerting phone numbers, which halts call-based incident alerts and monitoring notifications.
  • Exposure of SMTP credentials for any project, allowing unauthorized access to email configurations and the ability to send emails through your infrastructure.
  • Abuse of the WhatsApp Business account to send unauthorized messages to arbitrary phone numbers.
Detection Guidance

This vulnerability can be detected by checking for unauthenticated access to specific notification API endpoints exposed by OneUptime prior to version 10.0.42. These endpoints are accessible externally via the Nginx proxy at /notification/ without authentication middleware.

To detect exploitation attempts or presence of this vulnerability, you can monitor network traffic or use commands to test access to the following endpoints without authentication:

  • POST /notification/phone-number/purchase - attempts to purchase phone numbers.
  • POST /notification/phone-number/list-owned - attempts to list owned phone numbers.
  • DELETE /notification/phone-number/release/<id> - attempts to delete owned phone numbers.

Suggested commands to test these endpoints (replace <projectId> and <id> accordingly):

  • curl -X POST 'http://<your-server>/notification/phone-number/purchase' -d '{"projectId":"<projectId>", ...}'
  • curl -X POST 'http://<your-server>/notification/phone-number/list-owned' -d '{"projectId":"<projectId>"}'
  • curl -X DELETE 'http://<your-server>/notification/phone-number/release/<id>'

Additionally, check if the projectId can be retrieved from the public Status Page API, which leaks this identifier and enables exploitation.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade OneUptime to version 10.0.42 or later, where this vulnerability has been patched.
  • If upgrading is not immediately possible, restrict external access to the /notification/ endpoints via firewall or Nginx configuration to prevent unauthenticated access.
  • Remove or filter out the projectId from the public Status Page API responses to prevent attackers from obtaining it.
  • Add authentication middleware (ClusterKeyAuthorization.isAuthorizedServiceMiddleware) to all notification API endpoints to enforce authorization.
  • Monitor your Twilio account for unauthorized phone number purchases and alerting disruptions.
Compliance Impact

The vulnerability allows unauthenticated attackers to access and manipulate sensitive notification API endpoints, leading to financial abuse, service disruption, and exposure of credentials such as SMTP configuration details. This unauthorized access and potential data exposure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to personal data and system integrity.

Specifically, the exposure of SMTP credentials and the ability to send unauthorized messages or disrupt alerting services may violate data protection and security requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34759. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart