CVE-2026-34758

CRITICAL 9.1

OneUptime: Missing Authentication on Notification Endpoints

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

8th

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42.

CWE	CWE-306
Vendor	oneuptime
Product	oneuptime
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for oneuptime oneuptime

Be the first to know when new critical vulnerabilities affecting oneuptime oneuptime are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

OneUptime / oneuptime

< 10.0.42

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp github.com: https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4 github.com: https://github.com/OneUptime/oneuptime/releases/tag/10.0.42