Listen to this Post
In OneUptime version 9.0.5598, the application exposes an API endpoint for creating user accounts, typically restricted to administrative interfaces. Low-permission users can bypass front-end restrictions by sending direct HTTP requests to this endpoint. The vulnerability arises from missing server-side authorization checks on the account creation API. When a user crafts a POST request to endpoints like /api/accounts, the server processes it without verifying the requester’s privileges. This allows any authenticated user, regardless of role, to create new accounts. The issue stems from inadequate role-based access control (RBAC) implementation. The application relies on client-side validation but fails to enforce permissions on the backend. Attackers can use tools like curl or scripts to send malicious API calls. By specifying parameters such as username, email, and password, unauthorized accounts are created. This bypasses intended workflow where only admins should create accounts. The direct API access can be exploited through network interception or manual request crafting. In multi-tenant setups, this could lead to account proliferation and resource abuse. The vulnerability does not require advanced techniques; simple HTTP knowledge suffices. The patch in version 9.1.0 adds proper authorization validation before account creation. It ensures server-side checks for user roles and permissions. This prevents low-permission users from accessing critical functions. The fix involves validating session tokens and privilege levels on all API routes. Without the patch, continuous exploitation risks system integrity and data segregation. Overall, this is a broken access control issue common in web applications.
Platform: OneUptime
Version: 9.0.5598
Vulnerability: Account creation bypass
Severity: Medium
Date: 2025-11-26
Prediction: Patch version 9.1.0
What Undercode Say:
Analytics:
curl -X POST http://localhost:3000/api/accounts -H “Content-Type: application/json” -d ‘{“email”:”[email protected]”,”password”:”password”}’
python3 -c “import requests; response = requests.post(‘http://target/api/accounts’, json={’email’:’[email protected]’,’password’:’123′}); print(response.text)”
How Exploit:
Send POST request to /api/accounts with low-permission user token. Use intercepted credentials or session. Craft JSON payload with account details. Bypass UI restrictions entirely.
Protection from this CVE:
Update to version 9.1.0. Implement server-side authorization checks. Enforce role-based access control.
Impact:
Unauthorized account creation. Resource consumption abuse. Potential privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
