OneUptime, Improper Authorization, CVE-2026-30959 (Medium)

Listen to this Post

The vulnerability, identified as CVE-2026-30959, resides in the `resend-verification-code` endpoint of OneUptime, an open-source observability platform . The core issue is a missing authorization check within the `UserWhatsAppAPI.ts` and `UserWhatsAppService.ts` files . While the corresponding verification endpoint correctly validates that the user requesting an action owns the specific WhatsApp record, the resend endpoint does not perform this check. This allows any authenticated user, regardless of their relationship to the target record, to trigger a verification code resend for any `UserWhatsApp` record simply by knowing or guessing its internal ID. This flaw constitutes an Insecure Direct Object Reference (IDOR) and a missing authorization vulnerability, as it allows a low-privileged user to interact with another user’s resources . The attack vector is over the network, requires low complexity, and needs no user interaction, making it relatively easy to exploit for an authenticated user . The impact is considered medium as it does not lead to data confidentiality or integrity breaches but does affect the availability of the service for the targeted user by potentially triggering unwanted verification messages .

dailycve form:

Platform: OneUptime
Version: < 10.0.21
Vulnerability :Authorization Bypass
Severity: Medium
date: 03/10/2026

Prediction: 03/12/2026

What Undercode Say:

Analytics

The vulnerability stems from inconsistent authorization logic between functionally related endpoints (verify vs. resend). It is classified under multiple CWEs: CWE-285 (Improper Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization) . The attack surface is limited to authenticated users, but the lack of ownership validation on a key-based record (ID) makes it a classic IDOR vulnerability. The CVSS:4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L) indicates the primary impact is on the availability of the service for the victim, as unwanted verification codes could be sent .

Bash Commands / Code

Example: Check current OneUptime version (if self-hosted)
This command would need to be adapted based on deployment method (e.g., Docker, npm)
For a Docker deployment, you might inspect the running container's image tag.
sudo docker ps --filter "name=oneuptime" --format "table {{.Names}}\t{{.Image}}"
Example: Using curl to exploit the vulnerability (Conceptual - Do not use illegally)
Replace <oneuptime-instance.com> with the target, <session_token> with a valid user session,
and <target_whatsapp_record_id> with the target's record ID.
curl -X POST \
-H "Authorization: Bearer <session_token>" \
-H "Content-Type: application/json" \
-d '{"recordId": "<target_whatsapp_record_id>"}' \
https://<oneuptime-instance.com>/api/user-whatsapp/resend-verification-code
Example: Command to update OneUptime to a patched version (if installed via npm)
npm update -g oneuptime

Exploit

  1. An attacker authenticates as a low-privileged user on the OneUptime platform.
  2. The attacker identifies or enumerates the internal ID of another user’s `UserWhatsApp` record. This could be done through other API endpoints or by guessing sequential IDs.
  3. The attacker crafts a POST request to the `/api/user-whatsapp/resend-verification-code` endpoint, including the target’s record ID in the request body.
  4. Because the endpoint lacks ownership validation, the server processes the request and sends a new verification code to the WhatsApp number associated with the victim’s record.
  5. This can be repeated to cause a denial-of-service condition for the victim by bombarding them with unwanted verification messages.

Protection from this CVE

  1. Patch Immediately: Upgrade OneUptime to version 10.0.21 or later, which contains the fix for this vulnerability .
  2. Implement Consistent Authorization: Ensure that all endpoints that operate on user-specific resources validate that the authenticated user owns or has permission to modify that resource. The logic should be consistent across related functions (e.g., both `verify` and `resend` endpoints should perform the same ownership check).
  3. Use Indirect References: Consider using indirect, non-guessable references (like a hash or a UUID that is not sequential) for resources, rather than exposing internal database IDs.
  4. Code Review: Conduct thorough code reviews focusing on authorization logic, especially for endpoints that handle user data or settings.

Impact

A successful exploit allows an authenticated attacker to trigger unwanted verification messages to any user’s WhatsApp number associated with the platform. This can lead to harassment, user frustration, and a localized denial of service for the targeted individual. The vulnerability has a medium severity rating because it requires authentication and does not directly lead to data theft or system compromise, but it abuses a legitimate function to disrupt the experience of another user .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top