Listen to this Post
CVE-2026-30956 details an authorization bypass vulnerability in OneUptime versions prior to 10.0.21 . The flaw resides in how the application handles multi-tenancy. A low-privileged attacker can send a forged `is-multi-tenant-query` header along with a manipulated `projectid` header . The server incorrectly trusts this client-supplied header, which causes the `BasePermission` checks to be skipped and disables tenant scoping mechanisms . This allows the attacker to bypass tenant isolation and access project data belonging to other organizations . By exploiting nested relations, the attacker can read sensitive user fields, including the plaintext `resetPasswordToken` . With this token, the attacker can reset the victim’s password and achieve full account takeover, leading to critical data exposure .
Platform: OneUptime
Version: up to 10.0.20
Vulnerability: Authorization Bypass
Severity: Critical
Date: March 10, 2026
Prediction: Patch exists (10.0.21)
What Undercode Say:
Analytics
The vulnerability is caused by trusting client-supplied headers (is-multi-tenant-query, projectid) to enforce tenant isolation, leading to a critical CVSS score of 10.0 . This bypasses core permission checks (BasePermission), allowing low-privileged users to access cross-tenant data and retrieve plaintext password reset tokens for account takeover .
Bash/PoC
Demonstrating the header forgery with curl Target a project data endpoint from a low-privilege account curl -X GET \ -H "is-multi-tenant-query: true" \ -H "projectid: <VICTIM_PROJECT_ID>" \ -H "Authorization: Bearer <ATTACKER_LOW_PRIV_TOKEN>" \ https://oneuptime-instance.com/api/projects/data
Exploit
- Attacker authenticates as a low-privileged user and obtains a valid session token.
- Attacker identifies a target project ID belonging to a different tenant.
- The attacker sends a crafted API request to a data endpoint.
- The request includes the forged headers: `is-multi-tenant-query: true` and
projectid: <TARGET_PROJECT_ID>. - The server skips tenant scoping, granting the attacker access to the target project’s data.
- Attacker queries nested user relations to leak the plaintext
resetPasswordToken. - Using the stolen token, the attacker resets the victim’s password and takes over the account.
Protection
- Immediate Upgrade: Update OneUptime to version 10.0.21 or later, which contains the fix for this vulnerability .
- Input Validation: Implement strict server-side validation for all tenant and permission-related headers. Never rely on client-side flags for security decisions.
- Monitor Logs: Review access logs for unusual patterns, such as the presence of the `is-multi-tenant-query` header in requests from standard users.
Impact
- Cross-Tenant Data Exposure: Attackers can view sensitive project data belonging to other organizations using the same OneUptime instance .
- Credential Leakage: The vulnerability allows the exfiltration of plaintext password reset tokens from user records .
- Full Account Takeover: With a valid reset token, an attacker can completely compromise a victim’s account, leading to a loss of integrity, confidentiality, and availability .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

