CVE-2026-34758 Overview
CVE-2026-34758 is a critical missing authentication vulnerability in OneUptime, an open-source monitoring and observability platform. Prior to version 10.0.42, the application exposed Notification test and Phone Number management API endpoints without requiring authentication. This flaw allows unauthenticated attackers to abuse SMS, Call, Email, and WhatsApp notification services, as well as purchase phone numbers through the platform.
Critical Impact
Unauthenticated attackers can abuse notification services (SMS/Call/Email/WhatsApp) and purchase phone numbers, potentially leading to significant financial damage and abuse of the platform's communication infrastructure.
Affected Products
- OneUptime versions prior to 10.0.42
- OneUptime Notification API endpoints
- OneUptime Phone Number management endpoints
Discovery Timeline
- April 2, 2026 - CVE-2026-34758 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34758
Vulnerability Analysis
This vulnerability stems from missing authentication controls (CWE-306) on critical API endpoints within the OneUptime platform. The affected endpoints handle sensitive notification operations including SMS messaging, phone calls, email dispatch, WhatsApp communications, and phone number provisioning. Without proper authentication middleware, these endpoints were accessible to any unauthenticated user who could reach the API.
The network-accessible nature of this flaw means attackers can exploit it remotely without requiring any privileges or user interaction. Successful exploitation could result in unauthorized access to notification services, enabling attackers to send fraudulent communications or incur costs by purchasing phone numbers on behalf of legitimate users.
Root Cause
The root cause of CVE-2026-34758 is the absence of user authentication middleware on the Notification API routes. The Call.ts and PhoneNumber.ts API handlers were processing requests without verifying that the caller had valid authentication credentials. This represents a classic missing authentication for critical function vulnerability where sensitive operations were exposed without access controls.
Attack Vector
An attacker can exploit this vulnerability by sending direct HTTP requests to the exposed Notification and Phone Number API endpoints. Since no authentication is required, the attacker simply needs network access to the OneUptime instance to:
- Send arbitrary SMS messages, phone calls, emails, or WhatsApp messages through the notification testing endpoints
- Purchase phone numbers through the phone number management endpoints
- Potentially enumerate or abuse other notification-related functionality
The attack requires no special privileges, no user interaction, and can be performed entirely over the network.
// Security patch adding authentication middleware to Call.ts
// Source: https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4
} from "Common/Server/Utils/Express";
import logger from "Common/Server/Utils/Logger";
import Response from "Common/Server/Utils/Response";
+import UserMiddleware from "Common/Server/Middleware/UserAuthorization";
import ProjectCallSMSConfig from "Common/Models/DatabaseModels/ProjectCallSMSConfig";
const router: ExpressRouter = Express.getRouter();
// Security patch adding authentication middleware to PhoneNumber.ts
// Source: https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4
import ObjectID from "Common/Types/ObjectID";
import IncomingCallPolicyService from "Common/Server/Services/IncomingCallPolicyService";
import ProjectService from "Common/Server/Services/ProjectService";
+import UserMiddleware from "Common/Server/Middleware/UserAuthorization";
import Express, {
ExpressRequest,
ExpressResponse,
Detection Methods for CVE-2026-34758
Indicators of Compromise
- Unexpected or anomalous API requests to /notification/ or /phone-number/ endpoints without valid authentication tokens
- Unusual spikes in outbound SMS, call, email, or WhatsApp notification volumes
- Unauthorized phone number purchases appearing in billing or provisioning logs
- API access logs showing requests to notification endpoints from unknown IP addresses or without session identifiers
Detection Strategies
- Monitor API gateway and web server logs for requests to Notification and Phone Number endpoints that lack authentication headers or valid session tokens
- Implement anomaly detection on notification service usage patterns to identify unusual volumes or destinations
- Review billing records for unexpected phone number purchases or notification service charges
- Deploy web application firewall (WAF) rules to alert on unauthenticated access attempts to critical API paths
Monitoring Recommendations
- Enable detailed logging for all API endpoints, particularly those handling notifications and phone number management
- Set up alerts for notification service abuse thresholds (e.g., sudden increase in SMS/call volume)
- Monitor authentication failure rates and unauthenticated request patterns to sensitive endpoints
- Implement rate limiting on notification endpoints as an additional defense layer
How to Mitigate CVE-2026-34758
Immediate Actions Required
- Upgrade OneUptime to version 10.0.42 or later immediately
- Review notification service logs and billing records for signs of unauthorized abuse
- If upgrade is not immediately possible, restrict network access to the OneUptime API endpoints using firewall rules
- Audit phone number purchases and notification history for any unauthorized activity
Patch Information
OneUptime has addressed this vulnerability in version 10.0.42. The fix adds the UserMiddleware authentication middleware to the Notification API routes, ensuring all requests to notification test and phone number management endpoints require valid user authentication.
For detailed patch information, refer to:
Workarounds
- Restrict network access to OneUptime API endpoints using firewall rules or network segmentation until the patch can be applied
- Place a reverse proxy or API gateway in front of OneUptime that enforces authentication on all incoming requests
- Disable or remove notification testing functionality if not required for operations
- Implement IP allowlisting to limit API access to trusted sources only
# Example: Restrict access to OneUptime API using iptables
# Allow only trusted IP ranges to access the API port
iptables -A INPUT -p tcp --dport 3000 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
