プラットフォーム
nodejs
コンポーネント
oneuptime
修正版
10.0.43
OneUptime is an open-source monitoring and observability platform. A critical vulnerability exists in versions prior to 10.0.42 where unauthenticated access to notification API endpoints is possible, potentially leading to unauthorized actions like purchasing phone numbers and deleting existing alerting numbers on a victim's Twilio account. This issue affects OneUptime versions less than or equal to 10.0.42. A patch has been released in version 10.0.42.
CVE-2026-34759 in OneUptime allows an unauthenticated attacker to send notifications via the API, potentially compromising system confidentiality and availability. The lack of authentication on certain notification endpoints, combined with the projectId leak from the public status page, allows an attacker to purchase phone numbers and abuse the notification system. The CVSS score for this vulnerability is high, indicating a significant risk. This vulnerability affects OneUptime versions prior to 10.0.42.
An attacker can exploit this vulnerability by obtaining a projectId through OneUptime's public status page. With this projectId, the attacker can purchase phone numbers and send unauthorized notifications through the notification API without authentication. This could result in mass messaging, system resource exhaustion, or even manipulation of critical alerts. The ease of exploitation, combined with the potential impact, makes this vulnerability a significant concern.
エクスプロイト状況
EPSS
0.11% (29% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-34759 is to upgrade OneUptime to version 10.0.42 or later. This version includes the correct implementation of the ClusterKeyAuthorization middleware on all notification endpoints, preventing unauthorized access. Additionally, review the configuration of the public status page to avoid disclosing sensitive information like the projectId. Actively monitoring system logs for suspicious activity related to notification APIs is also recommended. If an immediate upgrade is not possible, consider implementing firewall rules to restrict access to notification endpoints.
Actualice OneUptime a la versión 10.0.42 o superior. Esta versión corrige las vulnerabilidades de autenticación en los endpoints de la API de notificaciones, evitando el abuso financiero, la interrupción del servicio y la exposición de credenciales SMTP.
脆弱性分析と重要アラートをメールでお届けします。
OneUptime is an open-source monitoring and observability platform.
If you are using a version prior to 10.0.42, your users could receive unwanted notifications or even be targeted by attacks.
Implementing firewall rules to restrict access to notification endpoints can be a temporary solution.
Refer to the official OneUptime documentation for detailed instructions on how to upgrade to version 10.0.42.
It's an authorization middleware that verifies if a service is authorized to access a resource.