What are the risks associated with these Oneuptime vulnerabilities?

The vulnerabilities in Oneuptime could lead to financial abuse through unauthorized phone number purchases, service disruption due to the deletion of alerting numbers, and authentication bypass, potentially granting attackers unauthorized access to sensitive data and functionalities.

How do I fix the vulnerabilities in Oneuptime?

To fix these vulnerabilities, you should update Oneuptime to version 10.0.42 or later. You can do this by running the command `npm update oneuptime` in your terminal.

What is SAML SSO and why is it important to secure?

SAML SSO (Security Assertion Markup Language Single Sign-On) is a standard for authenticating users to web applications. Securing SAML SSO is crucial because it allows users to access multiple applications with a single set of credentials; a vulnerability in the SSO implementation can compromise all connected applications.

NextGuard

Back to blog

CVSS 8.1CVE-2026-34759CVE-2026-34840CVE-2026-35053

Oneuptime Patches Multiple Vulnerabilities (CVE-2026-34759 et al.)

Multiple vulnerabilities have been discovered in Oneuptime, potentially leading to financial abuse, service disruption, and authentication bypass. Update to version 10.0.42.

Published on April 3, 2026

Multiple vulnerabilities have been discovered in Oneuptime, an open-source monitoring and observability platform. These vulnerabilities could lead to financial abuse via phone number purchase, service disruption, and authentication bypass. Version 10.0.42 addresses these issues.

One vulnerability has a CVSS score of 8.1, indicating a high severity risk.

What is Oneuptime?

Oneuptime is an open-source monitoring and observability platform designed to help teams monitor their applications and infrastructure. It provides features such as uptime monitoring, error tracking, and log management. To learn more, you can search all oneuptime CVEs. Oneuptime is built using Node.js and is typically deployed as a set of microservices. It is designed to be scalable and resilient, and it can be deployed on a variety of platforms, including cloud providers and on-premises infrastructure.

CVE-2026-34759: Unauthenticated notification API endpoints

CVSS0.0

Affected versionsOneuptime versions prior to 10.0.42 are vulnerable.

No CVSS score assigned.

EPSS score not available.

Unauthenticated API endpoints in Oneuptime's notification service allow attackers to perform actions without proper authorization. An attacker could exploit this, combined with a project ID leak, to purchase phone numbers on the victim's Twilio account and delete existing alerting numbers, leading to financial abuse and service disruption.

How to fix CVE-2026-34759 in Oneuptime

Patch immediately

1.Update Oneuptime to version 10.0.42 or later.

Update Oneuptime

npm update oneuptime

Workaround: No known workaround.

NextGuard automatically flags CVE-2026-34759 if Oneuptime appears in any of your monitored projects — no manual lookup required.

CVE-2026-34840: Multi-Assertion Identity Injection in SSO

CVSS8.1

Affected versionsOneuptime versions prior to 10.0.42 are vulnerable.

High severity due to potential for authentication bypass.

EPSS score not available.

Oneuptime's SAML SSO implementation decouples signature verification and identity extraction. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, bypassing authentication and gaining unauthorized access.

How to fix CVE-2026-34840 in Oneuptime

Patch immediately

1.Update Oneuptime to version 10.0.42 or later.

Update Oneuptime

npm update oneuptime

Workaround: No known workaround.

NextGuard automatically flags CVE-2026-34840 if Oneuptime appears in any of your monitored projects — no manual lookup required.

CVE-2026-35053: Unauthenticated Workflow Execution

CVSS0.0

Affected versionsOneuptime versions prior to 10.0.42 are vulnerable.

No CVSS score assigned.

EPSS score not available.

The Worker service's ManualAPI in Oneuptime exposes workflow execution endpoints without authentication. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, leading to JavaScript code execution, notification abuse, and data manipulation.

How to fix CVE-2026-35053 in Oneuptime

Patch immediately

1.Update Oneuptime to version 10.0.42 or later.

Update Oneuptime

npm update oneuptime

Workaround: No known workaround.

NextGuard automatically flags CVE-2026-35053 if Oneuptime appears in any of your monitored projects — no manual lookup required.

Stay ahead of nodejs vulnerabilities

Proactively detect and respond to vulnerabilities affecting your nodejs applications. monitor your nodejs dependencies.

Compare Plans

Frequently asked questions

Multiple vulnerabilities were discovered in Oneuptime, and users are advised to update to version 10.0.42 immediately. Stay informed about the latest security threats and see all nodejs vulnerabilities. Regularly updating your dependencies is crucial for maintaining a secure environment.