Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33142

CVE-2026-33142: Hackerbay OneUptime SQLi Vulnerability

CVE-2026-33142 is a SQL injection flaw in Hackerbay OneUptime that allows attackers to inject arbitrary SQL via analytics endpoints. This post explains its technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-33142 Overview

CVE-2026-33142 is a SQL Injection vulnerability discovered in OneUptime, a solution for monitoring and managing online services. This vulnerability exists in the StatementGenerator class where three query construction methods (toSortStatement, toSelectStatement, and toGroupByStatement) accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns.

This issue was identified as an incomplete fix for CVE-2026-32306, which addressed ClickHouse SQL injection via aggregate query parameters. While that fix added column name validation to the _aggregateBy method, it failed to apply the same validation to these three other critical query construction paths.

Critical Impact

Attackers with low-privilege access can inject arbitrary SQL through crafted sort, select, or groupBy keys when accessing any analytics list or aggregate endpoint, potentially leading to unauthorized data access and database manipulation.

Affected Products

  • Hackerbay OneUptime versions prior to 10.0.34

Discovery Timeline

  • 2026-03-20 - CVE-2026-33142 published to NVD
  • 2026-03-23 - Last updated in NVD database

Technical Details for CVE-2026-33142

Vulnerability Analysis

The vulnerability stems from inconsistent input validation across the StatementGenerator class in OneUptime. When the original CVE-2026-32306 was patched, developers added column name validation to the _aggregateBy method to prevent SQL injection through aggregate query parameters. However, three additional methods that construct SQL statements were overlooked: toSortStatement, toSelectStatement, and toGroupByStatement.

These methods accept user-controlled object keys directly from API request bodies. The keys are then interpolated as ClickHouse Identifier parameters, which are substituted directly into queries without any escaping or sanitization. This design flaw allows an attacker who can reach any analytics list or aggregate endpoint to craft malicious sort, select, or groupBy keys that inject arbitrary SQL commands into the ClickHouse database queries.

The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), representing a classic SQL injection attack vector that bypasses the authentication layer once a user has low-privilege access to the system.

Root Cause

The root cause of this vulnerability is incomplete remediation of the original SQL injection issue (CVE-2026-32306). While column name validation was properly implemented in the _aggregateBy method, the same security controls were not extended to the toSortStatement, toSelectStatement, and toGroupByStatement methods in the StatementGenerator class.

ClickHouse Identifier parameters behave differently from standard parameterized queries—they are substituted directly into the query string without escaping, making them vulnerable to injection when accepting untrusted input. The lack of validation against actual model columns allows arbitrary strings to be interpolated into the SQL statements.

Attack Vector

The attack is network-based and requires low-privilege authentication to access the analytics endpoints. An attacker can exploit this vulnerability by:

  1. Authenticating to the OneUptime application with minimal privileges
  2. Crafting malicious API requests to analytics list or aggregate endpoints
  3. Including specially crafted object keys in the sort, select, or groupBy parameters
  4. These keys are passed to the vulnerable statement generation methods
  5. The malicious SQL is interpolated directly into the ClickHouse query without validation

The vulnerability allows attackers to potentially exfiltrate sensitive monitoring data, modify database contents, or perform other unauthorized database operations depending on the database permissions and application configuration. For detailed technical information, see the GitHub Security Advisory.

Detection Methods for CVE-2026-33142

Indicators of Compromise

  • Unusual or malformed API requests to analytics endpoints containing suspicious characters in sort, select, or groupBy parameters
  • Database query logs showing unexpected SQL syntax or commands embedded in identifier fields
  • Error logs indicating SQL parsing failures with injection-like patterns
  • Unauthorized data access patterns or unusual query execution times in ClickHouse logs

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in API request bodies
  • Monitor application logs for requests to analytics endpoints with abnormally long or complex parameter values
  • Enable query logging on ClickHouse to identify malformed or suspicious queries
  • Deploy runtime application self-protection (RASP) solutions to detect SQL injection attempts

Monitoring Recommendations

  • Configure alerting for failed SQL query executions that may indicate injection attempts
  • Establish baseline metrics for analytics endpoint usage and alert on deviations
  • Review access logs for repeated requests to analytics endpoints from unusual sources
  • Monitor for ClickHouse-specific error messages that may indicate exploitation attempts

How to Mitigate CVE-2026-33142

Immediate Actions Required

  • Upgrade OneUptime to version 10.0.34 or later immediately
  • Review access logs for any signs of exploitation targeting analytics endpoints
  • Temporarily restrict access to analytics endpoints if patching cannot be performed immediately
  • Audit database contents for signs of unauthorized modifications

Patch Information

The vulnerability has been patched in OneUptime version 10.0.34. This update extends the column name validation that was added for CVE-2026-32306 to the toSortStatement, toSelectStatement, and toGroupByStatement methods, ensuring all user-controlled object keys are validated against actual model columns before being used in query construction.

Organizations should upgrade to version 10.0.34 or later as soon as possible. The patch is available through the official OneUptime distribution channels. For additional details, refer to the GitHub Security Advisory.

Workarounds

  • Implement network-level access controls to restrict access to analytics endpoints to trusted users only
  • Deploy a WAF with SQL injection detection rules in front of the OneUptime application
  • If possible, disable or restrict access to the analytics list and aggregate endpoints until the patch can be applied
  • Implement additional input validation at the application gateway or reverse proxy level
bash
# Example: Restrict analytics endpoint access via nginx until patched
location ~ ^/api/analytics {
    # Allow only from trusted internal network
    allow 10.0.0.0/8;
    deny all;
    proxy_pass http://oneuptime_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne