{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34758", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.225Z", "datePublished": "2026-04-02T18:49:29.826Z", "dateUpdated": "2026-04-03T15:58:23.101Z"}, "containers": {"cna": {"title": "OneUptime: Missing Authentication on Notification Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp"}, {"name": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4", "tags": ["x_refsource_MISC"], "url": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4"}, {"name": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "tags": ["x_refsource_MISC"], "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42"}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"version": "< 10.0.42", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:49:29.826Z"}, "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42."}], "source": {"advisory": "GHSA-q253-6wcm-h8hp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T15:57:41.799020Z", "id": "CVE-2026-34758", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:58:23.101Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34758", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T15:57:41.799020Z"}}}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:57:54.784Z"}}], "cna": {"title": "OneUptime: Missing Authentication on Notification Endpoints", "source": {"advisory": "GHSA-q253-6wcm-h8hp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"status": "affected", "version": "< 10.0.42"}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp", "name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4", "name": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "name": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:49:29.826Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34758", "state": "PUBLISHED", "dateUpdated": "2026-04-03T15:58:23.101Z", "dateReserved": "2026-03-30T19:17:10.225Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:49:29.826Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6DF2447-080C-4EB9-AA6C-4486A22088FA", "versionEndExcluding": "10.0.40", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42."}], "id": "CVE-2026-34758", "lastModified": "2026-04-03T19:52:26.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:33.670", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.0.42)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "oneuptime", "source": "cna", "vendor": "OneUptime"}, "product": "oneuptime", "vendor": "oneuptime"}], "analysis": {"en": {"generated_at": "2026-04-03T22:25:33.499082+00:00", "value": {"mitigation_remediation": ["Upgrade OneUptime to version 10.0.42 or newer. ", "If an upgrade cannot be applied immediately, block or restrict external access to the notification test and phone\u2011number endpoints using firewall rules or network segmentation. ", "After applying the patch or restriction, verify that all notification endpoints enforce proper authentication before processing requests. ", "Continuously monitor logs for abnormal notification traffic to detect potential abuse."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized use of notification services (SMS, calls, email, WhatsApp) and potential phone number procurement"}, "threat_synthesis": {"affected_systems": "OneUptime, the open\u2011source monitoring and observability platform, is affected in all releases older than version 10.0.42. The vulnerability resides in the notification and phone\u2011number APIs, which are exposed over HTTP and can be accessed by unauthenticated clients.", "description_and_impact": "The flaw is a lack of authentication checks on the Notification test and Phone Number management endpoints, allowing anyone to send messages, initiate calls, or purchase phone numbers through the platform. This is a classic authentication failure described as CWE\u2011306. An attacker could flood users with unwanted notifications or hijack the platform\u2019s communication channels without obtaining any credentials.", "risk_and_exploitability": "The CVSS base score of 9.1 indicates a high\u2011severity risk. The EPSS score of below 1% suggests that exploitation is not yet widespread, and the issue is not included in the CISA KEV catalog. Attackers can exploit this remotely by sending unauthenticated HTTP requests to the vulnerable endpoints; no additional privileges or software are required."}}}}, "created": "2026-04-03T07:31:38.799048+00:00", "updated": "2026-04-07T07:55:26.721184+00:00", "vendors": ["oneuptime", "oneuptime$PRODUCT$oneuptime"]}