CVE-2026-34759

UNKNOWN 0.0

OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.

CWE	CWE-862
Vendor	oneuptime
Product	oneuptime
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for oneuptime oneuptime

Be the first to know when new unknown vulnerabilities affecting oneuptime oneuptime are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

OneUptime / oneuptime

< 10.0.42

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6wc5-rhvj-cx7f github.com: https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4 github.com: https://github.com/OneUptime/oneuptime/releases/tag/10.0.42