Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65966

CVE-2025-65966: Oneuptime Auth Bypass Vulnerability

CVE-2025-65966 is an authentication bypass flaw in Hackerbay Oneuptime that allows low-permission users to create unauthorized accounts via direct API requests. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-65966 Overview

CVE-2025-65966 is a high-severity improper authorization vulnerability [CWE-285] in OneUptime, an open-source platform for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts by sending a direct request to the account creation API, bypassing the intended interface restrictions. The flaw allows authenticated users with limited privileges to invoke functionality that should be reserved for administrators or the public registration workflow. Hackerbay has patched the issue in OneUptime version 9.1.0.

Critical Impact

A low-privileged user can create arbitrary accounts via direct API calls, undermining tenant integrity and access boundaries within OneUptime deployments.

Affected Products

  • Hackerbay OneUptime version 9.0.5598
  • Self-hosted OneUptime deployments running affected releases
  • Cloud OneUptime tenants prior to the 9.1.0 patch

Discovery Timeline

  • 2025-11-26 - CVE-2025-65966 published to NVD
  • 2025-12-05 - Last updated in NVD database

Technical Details for CVE-2025-65966

Vulnerability Analysis

The vulnerability resides in OneUptime's account creation endpoint. The application enforces authorization at the user interface layer but fails to apply the same controls at the API layer. A low-permission user authenticated to the platform can issue a direct HTTP request to the account creation API and have it processed without the role checks expected by the UI workflow. This is a classic improper authorization weakness [CWE-285], where server-side enforcement does not match client-side restrictions. Because the attack is conducted over the network with no user interaction required, exploitation is straightforward for any attacker holding minimal valid credentials within a target tenant.

Root Cause

The root cause is the absence of a server-side authorization check on the account creation API handler. OneUptime relied on the front-end to gate the action, leaving the backend route reachable by any authenticated session regardless of role. Requests that should be rejected for low-privilege roles are instead processed and persisted.

Attack Vector

An attacker authenticates with a low-privilege account, then crafts a direct API request to the account creation endpoint. The server processes the request and provisions a new account, potentially with elevated context or as a foothold for further abuse. No social engineering or local access is required. The attacker only needs network reachability to the OneUptime API and a valid low-privilege session token.

No public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-m449-vh5f-574g for vendor-provided technical details.

Detection Methods for CVE-2025-65966

Indicators of Compromise

  • Unexpected account creation events in OneUptime audit logs originating from non-administrative user sessions.
  • API requests to the account creation route from user agents or clients that do not match the standard OneUptime web UI.
  • New users appearing in tenants without corresponding administrator approval workflows.

Detection Strategies

  • Correlate authenticated session identifiers with role assignments and flag account creation calls performed by non-admin roles.
  • Hunt for direct API invocations to the account creation endpoint that lack the request headers or referrers typical of the OneUptime UI.
  • Baseline normal account creation volume per tenant and alert on deviations.

Monitoring Recommendations

  • Forward OneUptime application and audit logs to a centralized SIEM for retention and correlation.
  • Enable detailed access logging on the reverse proxy or API gateway fronting OneUptime to capture request paths, source IPs, and authenticated user identifiers.
  • Review newly created accounts daily until all instances are upgraded to version 9.1.0.

How to Mitigate CVE-2025-65966

Immediate Actions Required

  • Upgrade all OneUptime deployments to version 9.1.0 or later, which contains the authorization fix.
  • Audit existing accounts created on or after the deployment of version 9.0.5598 and remove unauthorized entries.
  • Rotate credentials for any low-privilege accounts that may have been used to abuse the endpoint.

Patch Information

Hackerbay released the fix in OneUptime version 9.1.0. The patch enforces authorization checks at the API layer for the account creation route. Details and remediation guidance are published in the OneUptime GitHub Security Advisory GHSA-m449-vh5f-574g.

Workarounds

  • Restrict network access to the OneUptime API to trusted administrative networks until the upgrade is complete.
  • Disable or tightly limit low-privilege user roles in shared tenants pending patch deployment.
  • Apply web application firewall rules to block account creation API requests that do not originate from authorized administrative sessions.
bash
# Example: upgrade OneUptime self-hosted deployment via Docker Compose
git fetch --tags
git checkout 9.1.0
docker compose pull
docker compose up -d

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.