10.0.24
10.0.23
CVE-2026-32306 describes a critical SQL Injection vulnerability discovered in oneuptime, a Node.js-based telemetry aggregation tool. This flaw allows an authenticated attacker to inject malicious SQL code into ClickHouse queries, potentially compromising sensitive telemetry data and enabling remote code execution. The vulnerability affects versions prior to 10.0.23, and a patch has been released to address the issue.
The impact of CVE-2026-32306 is severe due to the direct interpolation of user-controlled parameters into ClickHouse SQL queries without proper sanitization or validation. An attacker can leverage this vulnerability to read all data stored in the ClickHouse database, including telemetry data from all tenants. Furthermore, they can modify this data, potentially leading to data corruption or manipulation. The ability to execute arbitrary SQL opens the door to remote code execution (RCE) via ClickHouse table functions, granting the attacker complete control over the affected system. This vulnerability shares similarities with other SQL injection flaws where direct SQL construction from user input leads to severe consequences.
CVE-2026-32306 was publicly disclosed on 2026-03-13. Its CRITICAL CVSS score indicates a high probability of exploitation. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation due to the lack of input validation suggests that a PoC is likely to emerge. The vulnerability has not yet been added to the CISA KEV catalog.
Organizations utilizing oneuptime for telemetry aggregation, particularly those with multiple tenants or sensitive data stored in ClickHouse, are at significant risk. Shared hosting environments where oneuptime is deployed alongside other applications are also vulnerable, as a compromise of oneuptime could potentially impact other tenants.
• nodejs / server:
ps aux | grep oneuptime• linux / server:
journalctl -u oneuptime -f | grep "SQL injection"• database (mysql, redis, mongodb, postgresql):
-- ClickHouse specific check (replace with appropriate ClickHouse query)
SELECT version();• generic web:
curl -I http://<oneuptime_server>/api/telemetry/aggregate | grep -i "SQL injection"disclosure
漏洞利用状态
EPSS
0.40% (60% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-32306 is to immediately upgrade oneuptime to version 10.0.23 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the telemetry aggregation API to trusted users only. While not a complete solution, this can reduce the attack surface. Review and audit all ClickHouse user permissions to ensure least privilege access. Monitor ClickHouse logs for suspicious SQL queries that might indicate an ongoing attack. After upgrading, confirm the fix by attempting a SQL injection attack on the telemetry aggregation API and verifying that the input is properly sanitized.
升级 OneUptime 到 10.0.23 或更高版本。此版本修复了遥测聚合 API 中的 SQL 注入漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-32306 is a critical SQL Injection vulnerability in oneuptime, allowing attackers to inject malicious SQL code into ClickHouse queries, potentially leading to data breaches and remote code execution.
You are affected if you are running oneuptime versions prior to 10.0.23 and have not yet upgraded. This vulnerability impacts authenticated users of the telemetry aggregation API.
Upgrade oneuptime to version 10.0.23 or later to remediate the vulnerability. If immediate upgrade is not possible, restrict access to the telemetry aggregation API and monitor ClickHouse logs.
While no active exploitation has been publicly confirmed, the ease of exploitation suggests a high likelihood of exploitation, and monitoring is crucial.
Refer to the oneuptime project's official release notes and security advisories on their GitHub repository or website for the latest information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。