Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-30959

CVE-2026-30959: Hackerbay Oneuptime Auth Bypass Flaw

CVE-2026-30959 is an authentication bypass vulnerability in Hackerbay Oneuptime that allows authenticated users to trigger verification code resends for any user. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-30959 Overview

CVE-2026-30959 is an Improper Authorization vulnerability affecting OneUptime, an open-source solution for monitoring and managing online services. The vulnerability exists in the resend-verification-code endpoint, which allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID without proper ownership validation.

Critical Impact

Authenticated attackers can abuse the WhatsApp verification system to send unsolicited verification codes to any user's registered WhatsApp number, potentially enabling harassment, resource exhaustion, or service disruption.

Affected Products

  • Hackerbay OneUptime (versions prior to 10.0.21)

Discovery Timeline

  • 2026-03-10 - CVE CVE-2026-30959 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-30959

Vulnerability Analysis

This vulnerability is classified under CWE-285 (Improper Authorization), indicating a fundamental failure to verify that a requesting user has the appropriate permissions to access or modify a specific resource. The flaw specifically affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service components within the OneUptime application.

When a user makes a request to the resend-verification-code endpoint, the application validates that the user is authenticated but fails to verify that the user actually owns the UserWhatsApp record they are attempting to resend a verification code for. This contrasts with the verify endpoint in the same codebase, which properly implements ownership validation before processing requests.

Root Cause

The root cause lies in inconsistent authorization checks between related API endpoints. While the verify endpoint correctly validates that the authenticated user owns the WhatsApp record before allowing verification, the resend-verification-code endpoint only checks for authentication status. The missing ownership validation allows any authenticated user to enumerate and target arbitrary UserWhatsApp record IDs, triggering verification code deliveries to WhatsApp numbers they do not own or control.

Attack Vector

The attack is network-accessible and requires low privileges (any authenticated account). An attacker can exploit this vulnerability by:

  1. Authenticating to the OneUptime platform with any valid user account
  2. Enumerating or guessing valid UserWhatsApp record IDs
  3. Making repeated requests to the resend-verification-code endpoint with target IDs
  4. Triggering unsolicited verification code messages to victims' WhatsApp numbers

This could be weaponized for harassment campaigns, SMS/WhatsApp bombing attacks, or potentially as part of social engineering schemes where attackers claim to be sending legitimate verification requests.

Detection Methods for CVE-2026-30959

Indicators of Compromise

  • Unusual volume of requests to the resend-verification-code endpoint from a single user
  • API requests targeting UserWhatsApp record IDs that do not belong to the authenticated user
  • Multiple verification code triggers for the same WhatsApp number in a short time period

Detection Strategies

  • Implement rate limiting and anomaly detection on the resend-verification-code endpoint
  • Monitor API logs for patterns of sequential or bulk ID enumeration attempts
  • Alert on authentication tokens making requests for resources outside their ownership scope
  • Review application logs for elevated error rates or unusual access patterns in UserWhatsAppAPI.ts

Monitoring Recommendations

  • Enable detailed logging for all WhatsApp verification-related API endpoints
  • Set up alerts for threshold breaches on verification code resend requests per user session
  • Monitor for complaints from users receiving unexpected verification codes
  • Track and correlate authentication sessions with resource access patterns

How to Mitigate CVE-2026-30959

Immediate Actions Required

  • Upgrade OneUptime to version 10.0.21 or later immediately
  • Audit existing logs for evidence of exploitation attempts
  • Consider temporarily disabling the WhatsApp verification feature if upgrade cannot be performed immediately
  • Review and restrict API access permissions where possible

Patch Information

The vendor has released version 10.0.21 which addresses this vulnerability by implementing proper ownership validation on the resend-verification-code endpoint. The patch ensures that users can only trigger verification code resends for UserWhatsApp records they own. For full details, refer to the GitHub Release Notes and the GitHub Security Advisory.

Workarounds

  • Implement network-level rate limiting on the resend-verification-code endpoint
  • Deploy a Web Application Firewall (WAF) rule to restrict request frequency to verification endpoints
  • Temporarily disable WhatsApp notification functionality until the patch can be applied
  • Add manual ownership validation at the API gateway or reverse proxy level if direct patching is not immediately feasible

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne