OneUptime Auth Bypass (CVE-2026-34758)

Overview

A critical security flaw in the OneUptime monitoring platform allows unauthenticated attackers to abuse its notification systems and purchase phone numbers. Tracked as CVE-2026-34758, this vulnerability affects all versions prior to 10.0.42.

Vulnerability Details

OneUptime is an open-source platform for monitoring website uptime and application performance. The vulnerability resides in specific API endpoints designed for testing notifications and managing phone numbers. These endpoints failed to verify user authentication, allowing anyone with network access to the OneUptime server to interact with them directly.

The flaw is highly severe due to its low attack complexity and the complete lack of required privileges or user interaction. An attacker can send requests to these endpoints without needing a valid user account.

Impact and Risks

The impact of this vulnerability is significant and multi-faceted. An unauthenticated attacker can:

• Abuse Communication Channels: Send unlimited test SMS messages, phone calls, emails, and WhatsApp messages. This can lead to spam, phishing campaigns, denial-of-service against the integrated communication services, and substantial financial costs for the organization operating the OneUptime instance.
• Purchase Phone Numbers: Exploit the phone number management functionality to purchase new phone numbers, directly incurring charges and potentially using these numbers for fraudulent activities.
• Operational Disruption: Degrade the integrity of the monitoring platform by flooding its logs and interfering with legitimate alerting functions.

This flaw represents a direct path to financial loss and reputational damage for affected organizations. For more on the consequences of such incidents, recent data breach reports are available at breach reports.

Remediation and Mitigation

The primary and only complete mitigation is to update the OneUptime software immediately.

1. Patch Immediately: Upgrade your OneUptime installation to version 10.0.42 or later. This version contains the necessary patches to enforce authentication on the affected endpoints.
2. No Workarounds: Given the nature of the flaw, there are no effective configuration-based workarounds. Patching is mandatory.
3. Verification: After upgrading, administrators should verify that the notification test and phone management features are no longer accessible from unauthenticated sessions.

Stay informed on the latest vulnerability disclosures and patches by following security news.

Security Insight

This incident highlights the critical risk of “internal” administrative or testing endpoints being inadvertently exposed to the public internet without proper access controls. It mirrors a common pattern in web application security where features built for convenience during development or testing are not adequately locked down before production deployment, turning them into a primary attack surface.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs