Platform
other
Component
oneuptime
Fixed in
10.0.43
CVE-2026-34758 is a critical vulnerability affecting OneUptime, an open-source monitoring and observability platform. This vulnerability allows unauthenticated access to notification test and phone number management endpoints, enabling malicious actors to abuse SMS, Call, Email, and WhatsApp functionality and potentially purchase phone numbers. The vulnerability impacts versions of OneUptime prior to 10.0.42 and has been resolved in version 10.0.42.
The impact of CVE-2026-34758 is substantial due to the unauthenticated nature of the access. Attackers can leverage this vulnerability to send spam messages via SMS, Call, Email, and WhatsApp, potentially causing significant disruption and reputational damage to users of OneUptime. The ability to purchase phone numbers without authentication opens the door to further malicious activities, such as SIM swapping, account takeover, and fraudulent transactions. The blast radius extends to any organization relying on OneUptime for monitoring and observability, as the vulnerability can be exploited remotely without requiring any credentials.
CVE-2026-34758 was publicly disclosed on 2026-04-02. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34758 is to immediately upgrade OneUptime to version 10.0.42 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the notification test and phone number management endpoints using a Web Application Firewall (WAF) or proxy server. Configure the WAF/proxy to block requests from unauthorized IP addresses or networks. Review and tighten access controls for these endpoints, ensuring that only authorized users can access them. After upgrading, confirm the fix by attempting to access the notification test and phone number management endpoints without authentication; access should be denied.
Update OneUptime to version 10.0.42 or higher. This version corrects the lack of authentication on notification endpoints, preventing SMS/Call/Email/WhatsApp abuse and unauthorized phone number purchase.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34758 is a critical vulnerability in OneUptime versions prior to 10.0.42 that allows unauthenticated access to notification and phone number management endpoints, enabling SMS/Call/Email/WhatsApp abuse and phone number purchase.
You are affected if you are using OneUptime version 10.0.42 or earlier. Upgrade to 10.0.42 to resolve this vulnerability.
The recommended fix is to upgrade OneUptime to version 10.0.42 or later. As a temporary workaround, restrict access to the affected endpoints using a WAF or proxy.
Currently, there are no confirmed reports of active exploitation, but the unauthenticated nature of the vulnerability makes it a high-risk concern.
Refer to the OneUptime security advisory for detailed information and updates: [https://oneuptime.com/security](https://oneuptime.com/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.