Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34759

CVE-2026-34759: OneUptime Auth Bypass Vulnerability

CVE-2026-34759 is an authentication bypass flaw in OneUptime that allows attackers to access notification APIs without authentication, enabling unauthorized Twilio account manipulation. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-34759 Overview

CVE-2026-34759 is a critical Missing Authentication vulnerability affecting OneUptime, an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers.

Critical Impact

Unauthenticated attackers can exploit missing authentication on notification API endpoints to manipulate Twilio phone numbers, potentially purchasing numbers on victim accounts and deleting existing alerting infrastructure, leading to complete disruption of monitoring capabilities.

Affected Products

  • OneUptime versions prior to 10.0.42

Discovery Timeline

  • 2026-04-02 - CVE CVE-2026-34759 published to NVD
  • 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-34759

Vulnerability Analysis

This vulnerability stems from an inconsistent application of authentication controls across the OneUptime notification API. While other endpoints in the codebase properly implement ClusterKeyAuthorization.isAuthorizedServiceMiddleware for access control, the vulnerable notification endpoints at /notification/ lack any authentication middleware whatsoever. This creates a significant security gap where unauthenticated external requests can reach sensitive functionality.

The attack chain is further enabled by an information disclosure issue in the public Status Page API, which leaks projectId values. An attacker can combine this leaked identifier with the unauthenticated notification endpoints to perform unauthorized actions against the Twilio integration, including purchasing new phone numbers on the victim's account and deleting existing alerting numbers.

Root Cause

The root cause is Missing Authorization (CWE-862). The notification API endpoints in App/FeatureSet/Notification/API/Call.ts and App/FeatureSet/Notification/API/PhoneNumber.ts were implemented without the UserMiddleware authentication middleware that should have been applied to protect these sensitive operations. This oversight allowed any external request reaching the Nginx proxy to access these endpoints without verification of user identity or authorization.

Attack Vector

The attack is network-based and requires no user interaction or prior authentication. An attacker can:

  1. Access the public Status Page API to obtain a valid projectId
  2. Craft requests to the /notification/ endpoints exposed through Nginx
  3. Use the leaked projectId to perform unauthorized operations including:
    • Purchasing phone numbers on the victim's Twilio account (incurring financial costs)
    • Deleting existing alerting phone numbers (disrupting monitoring capabilities)

The following patch demonstrates the fix that adds UserMiddleware authentication to the vulnerable endpoints:

typescript
 } from "Common/Server/Utils/Express";
 import logger from "Common/Server/Utils/Logger";
 import Response from "Common/Server/Utils/Response";
+import UserMiddleware from "Common/Server/Middleware/UserAuthorization";
 import ProjectCallSMSConfig from "Common/Models/DatabaseModels/ProjectCallSMSConfig";
 
 const router: ExpressRouter = Express.getRouter();

Source: GitHub Commit Update

Detection Methods for CVE-2026-34759

Indicators of Compromise

  • Unexpected requests to /notification/ API endpoints from external IP addresses
  • Unauthorized Twilio phone number purchases appearing in billing records
  • Missing or deleted alerting phone numbers from OneUptime configuration
  • Anomalous API calls with valid projectId values from unauthenticated sessions

Detection Strategies

  • Monitor access logs for unauthenticated requests to /notification/ endpoints via the Nginx proxy
  • Implement alerting on Twilio account activity including phone number provisioning and deletions
  • Review authentication middleware coverage across all API routes during security audits
  • Deploy web application firewall rules to detect exploitation patterns targeting notification APIs

Monitoring Recommendations

  • Enable detailed logging for all notification API endpoint access
  • Configure Twilio account alerts for any phone number changes or purchases
  • Implement anomaly detection for API requests with valid projectId but no authentication tokens
  • Regularly audit OneUptime logs for unauthorized access attempts to protected resources

How to Mitigate CVE-2026-34759

Immediate Actions Required

  • Upgrade OneUptime to version 10.0.42 or later immediately
  • Audit Twilio account for any unauthorized phone number purchases or deletions
  • Review access logs for any suspicious activity against /notification/ endpoints
  • Temporarily restrict external access to /notification/ endpoints via Nginx if immediate patching is not possible

Patch Information

OneUptime has released version 10.0.42 which addresses this vulnerability by adding proper UserMiddleware authentication to the affected notification API routes. The patch ensures that all notification endpoints now require authenticated user sessions before processing requests.

For detailed patch information, see:

Workarounds

  • Implement Nginx access controls to block external access to /notification/ endpoints until patching is complete
  • Configure network-level restrictions to limit API access to trusted IP ranges
  • Enable Twilio account security features such as spending limits and phone number provisioning restrictions
  • Monitor and review all Twilio account activity while operating on a vulnerable version
bash
# Nginx configuration to temporarily block notification endpoints
# Add to your OneUptime Nginx configuration
location /notification/ {
    # Temporarily deny external access pending upgrade
    allow 127.0.0.1;
    allow 10.0.0.0/8;
    allow 172.16.0.0/12;
    allow 192.168.0.0/16;
    deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.