CVE-2026-30920

HIGH 8.6

OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding

CVSS Score

8.6

EPSS Score

0.0%

EPSS Percentile

0th

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19.

CWE	CWE-345 CWE-639 CWE-862
Vendor	oneuptime
Product	oneuptime
Published	Mar 9, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for oneuptime oneuptime

Be the first to know when new high vulnerabilities affecting oneuptime oneuptime are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

Affected Versions

OneUptime / oneuptime

< 10.0.19

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-656w-6f6c-m9r6