CVE-2026-34759HIGH 8.1EPSS p44.0%

CVE-2026-34759CVE-2026-34759

Description

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.60% probability of exploitation · percentile 44.0% · 2026-06-18T12:00:27Z
Published2026-04-02
Last modified2026-04-13

Underlying weaknesses· 1

CWE-862

References

  1. https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4
  2. https://github.com/OneUptime/oneuptime/releases/tag/10.0.42
  3. https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6wc5-rhvj-cx7f

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34758
CVE
CVE-2026-35053
CVE
CVE-2026-30920
CVE
CVE-2026-28787
CVE
CVE-2026-30956
CVE
CVE-2025-65966
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.