OneUptime, Authorization Bypass, CVE-2026-30956 (Critical)

Listen to this Post

CVE-2026-30956 details an authorization bypass vulnerability in OneUptime versions prior to 10.0.21 . The flaw resides in how the application handles multi-tenancy. A low-privileged attacker can send a forged `is-multi-tenant-query` header along with a manipulated `projectid` header . The server incorrectly trusts this client-supplied header, which causes the `BasePermission` checks to be skipped and disables tenant scoping mechanisms . This allows the attacker to bypass tenant isolation and access project data belonging to other organizations . By exploiting nested relations, the attacker can read sensitive user fields, including the plaintext `resetPasswordToken` . With this token, the attacker can reset the victim’s password and achieve full account takeover, leading to critical data exposure .
Platform: OneUptime
Version: up to 10.0.20
Vulnerability: Authorization Bypass
Severity: Critical
Date: March 10, 2026

Prediction: Patch exists (10.0.21)

What Undercode Say:

Analytics

The vulnerability is caused by trusting client-supplied headers (is-multi-tenant-query, projectid) to enforce tenant isolation, leading to a critical CVSS score of 10.0 . This bypasses core permission checks (BasePermission), allowing low-privileged users to access cross-tenant data and retrieve plaintext password reset tokens for account takeover .

Bash/PoC

Demonstrating the header forgery with curl
Target a project data endpoint from a low-privilege account
curl -X GET \
-H "is-multi-tenant-query: true" \
-H "projectid: <VICTIM_PROJECT_ID>" \
-H "Authorization: Bearer <ATTACKER_LOW_PRIV_TOKEN>" \
https://oneuptime-instance.com/api/projects/data

Exploit

  1. Attacker authenticates as a low-privileged user and obtains a valid session token.
  2. Attacker identifies a target project ID belonging to a different tenant.
  3. The attacker sends a crafted API request to a data endpoint.
  4. The request includes the forged headers: `is-multi-tenant-query: true` and projectid: <TARGET_PROJECT_ID>.
  5. The server skips tenant scoping, granting the attacker access to the target project’s data.
  6. Attacker queries nested user relations to leak the plaintext resetPasswordToken.
  7. Using the stolen token, the attacker resets the victim’s password and takes over the account.

Protection

  • Immediate Upgrade: Update OneUptime to version 10.0.21 or later, which contains the fix for this vulnerability .
  • Input Validation: Implement strict server-side validation for all tenant and permission-related headers. Never rely on client-side flags for security decisions.
  • Monitor Logs: Review access logs for unusual patterns, such as the presence of the `is-multi-tenant-query` header in requests from standard users.

Impact

  • Cross-Tenant Data Exposure: Attackers can view sensitive project data belonging to other organizations using the same OneUptime instance .
  • Credential Leakage: The vulnerability allows the exfiltration of plaintext password reset tokens from user records .
  • Full Account Takeover: With a valid reset token, an attacker can completely compromise a victim’s account, leading to a loss of integrity, confidentiality, and availability .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top