CVE-2026-34759

low-risk

Published 2026-04-02

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (1)

Oneuptime

Affected Vendors

Hackerbay

References (3)

Patch https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433b...

Product https://github.com/OneUptime/oneuptime/releases/tag/10.0.42

Exploit https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6wc5-rhvj-cx7f

/ 100

low-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal