{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34758", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.225Z", "datePublished": "2026-04-02T18:49:29.826Z", "dateUpdated": "2026-04-03T15:58:23.101Z"}, "containers": {"cna": {"title": "OneUptime: Missing Authentication on Notification Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp"}, {"name": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4", "tags": ["x_refsource_MISC"], "url": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4"}, {"name": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "tags": ["x_refsource_MISC"], "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42"}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"version": "< 10.0.42", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:49:29.826Z"}, "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42."}], "source": {"advisory": "GHSA-q253-6wcm-h8hp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T15:57:41.799020Z", "id": "CVE-2026-34758", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:58:23.101Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34758", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T15:57:41.799020Z"}}}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:57:54.784Z"}}], "cna": {"title": "OneUptime: Missing Authentication on Notification Endpoints", "source": {"advisory": "GHSA-q253-6wcm-h8hp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"status": "affected", "version": "< 10.0.42"}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp", "name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4", "name": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "name": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:49:29.826Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34758", "state": "PUBLISHED", "dateUpdated": "2026-04-03T15:58:23.101Z", "dateReserved": "2026-03-30T19:17:10.225Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:49:29.826Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6DF2447-080C-4EB9-AA6C-4486A22088FA", "versionEndExcluding": "10.0.40", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42."}], "id": "CVE-2026-34758", "lastModified": "2026-04-03T19:52:26.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:33.670", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.0.42)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "oneuptime", "source": "cna", "vendor": "OneUptime"}, "product": "oneuptime", "vendor": "oneuptime"}], "analysis": {"en": {"generated_at": "2026-04-02T22:21:59.546488+00:00", "value": {"mitigation_remediation": ["Update OneUptime to version 10.0.42 or later to cover the missing authentication checks.", "If immediate update is not feasible, restrict network access to the Notification test and Phone Number management endpoints using firewalls or VPNs to limit exposure to trusted users.", "Periodically review outbound communication logs for irregular SMS, call, email, or WhatsApp activity that could indicate exploitation.", "Consider disabling or removing unnecessary notification features in the OneUptime configuration to reduce attack surface."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized use of notification channels"}, "threat_synthesis": {"affected_systems": "The flaw affects the OneUptime open\u2011source monitoring and observability platform, specifically all releases prior to version 10.0.42. Users running 10.0.41 or earlier versions are vulnerable. Corporate deployments of OneUptime that expose the notification endpoints to external networks are at risk. Version 10.0.42 and newer contain the fix where authentication is enforced on the affected endpoints.", "description_and_impact": "The vulnerability arises from missing authentication checks on OneUptime\u2019s Notification test and Phone Number management endpoints. An attacker who can send unauthenticated requests to these endpoints can trigger SMS, call, email, or WhatsApp messages and even purchase phone numbers. The lack of credential verification allows an external actor to abuse the platform\u2019s communication capabilities, potentially spamming users, violating regulatory requirements, or incurring unexpected costs. This weakness is cataloged under CWE\u2011306, indicating an authentication bypass.", "risk_and_exploitability": "With a CVSS score of 9.1 the vulnerability is classified as critical. No EPSS score is available, but the absence of authentication suggests that exploitation requires only the discovery of the endpoints, which are exposed by default. The issue has not been listed in the CISA KEV catalog, yet the potential for large\u2011scale abuse makes it a high\u2011priority target. Consequently, the risk remains high until the platform is updated or network controls are applied."}}}}, "created": "2026-04-03T07:31:38.799048+00:00", "updated": "2026-04-03T09:16:35.627141+00:00", "vendors": ["oneuptime", "oneuptime$PRODUCT$oneuptime"]}