Listen to this Post
The `resend-verification-code` endpoint in OneUptime versions prior to 8.0.5567 contains an authorization gap that allows any authenticated user to trigger verification code resends for any `UserWhatsApp` record by ID . The vulnerability exists because the resend path lacks the ownership validation that is present in the verify endpoint. When examining the affected source code in UserWhatsAppAPI.ts, the resend endpoint processes requests by accepting an `itemId` from the request body and calling `this.service.resendVerificationCode(req.body.itemId)` without verifying that the `userId` associated with that WhatsApp record matches the authenticated user’s ID. This contrasts with the verify endpoint, which explicitly checks `if (item.userId?.toString() !== (req as OneUptimeRequest)?.userAuthorization?.userId?.toString())` before proceeding. An attacker with a valid account and access token can exploit this by sending a POST request to `/api/user-whats-app/resend-verification-code` with a victim’s `UserWhatsApp` itemId, causing the system to send a verification code to the victim’s phone. The impact includes the ability to spam victims with unwanted verification messages, enabling social engineering attacks through repeated contact, and potentially disrupting normal verification flows for legitimate users.
dailycve form:
Platform: OneUptime
Version: < 8.0.5567
Vulnerability: Improper Access Control
Severity: Medium
Date: 2025-11-26
Prediction: Patch already available
What Undercode Say:
Analytics:
The vulnerability affects OneUptime deployments prior to version 8.0.5567 . This is an authorization bypass issue classified under CWE-284 (Improper Access Control) . The CVSS v4.0 base score is 6.9 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N . The vulnerability is automatable and requires no special privileges beyond a valid user account . A proof-of-concept exists and the exploitation method is straightforward via API request manipulation .
How Exploit:
Set attacker access token
export ATK="Bearer <attacker-access-token>"
Trigger verification code resend for victim's UserWhatsApp item
curl -s -X POST \
-H "Content-Type: application/json" \
-H "Authorization: $ATK" \
-d '{"itemId":"<victim-userwhatsapp-id>"}' \
http://<host>/api/user-whats-app/resend-verification-code
Expected response: HTTP 200 with {} body
New verification code sent to victim's phone
Protection from this CVE:
1. Upgrade to OneUptime version 8.0.5567 or later
2. Apply the official patch from commit `3e72b2a9a4f50f98cf1f6cf13fa3e405715bb370`
- Implement ownership validation by ensuring `item.userId` matches the authenticated user’s ID
- Add per-item and per-user rate limiting for verification code resends
- Review all API endpoints for consistent authorization checks
Impact:
- Ability to spam arbitrary phone numbers with verification codes
- Denial of service through message flooding to victim devices
- Social engineering opportunities via repeated contact attempts
- Disruption of legitimate verification workflows
- Potential lockout scenarios for victims receiving excessive codes
- No direct data breach but enables harassment and service abuse vectors
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

