Listen to this Post
CVE-2026-33142 arises from incomplete input validation in OneUptime’s query construction logic. A prior fix for CVE-2026-32306 introduced column name validation in the `_aggregateBy` method, but three other methods—toSortStatement, toSelectStatement, and toGroupByStatement—remained unprotected. These methods accept user-controlled object keys from API request bodies (e.g., sort, select, groupBy) and directly interpolate them into ClickHouse queries as Identifier parameters. ClickHouse identifiers are not escaped; they are inserted verbatim. An attacker can inject arbitrary SQL by supplying crafted keys, bypassing the intended column restrictions. The vulnerability affects any analytics list or aggregate endpoint that uses these statement generators. Successful exploitation allows an attacker to read, modify, or delete data, execute system commands via ClickHouse’s capabilities, and potentially compromise the entire database server. The issue is fixed in version 10.0.34, where all query-building paths now share the same column validation routine.
Platform: OneUptime
Version: <10.0.34
Vulnerability: SQL Injection
Severity: Critical
date: 2026-03-20
Prediction: Patched 10.0.34
Analytics under What Undercode Say:
Test for missing sort validation
curl -X GET "https://target/api/analytics/list?sort={\"name\" : \"ASC\", \"(SELECT 1)\" : \"ASC\"}" -H "Authorization: Bearer $TOKEN"
Example crafted groupBy payload
curl -X POST "https://target/api/analytics/aggregate" -H "Content-Type: application/json" -d '{"groupBy": ["column", "1; DROP TABLE users--"]}'
// Vulnerable code snippet from StatementGenerator.toSortStatement
toSortStatement(sort: Record<string, 'ASC' | 'DESC'>): string {
return Object.entries(sort).map(([key, order]) => {
return <code>${key} ${order}</code>; // key directly interpolated
}).join(', ');
}
Exploit:
Send crafted sort, select, or `groupBy` keys containing SQL metacharacters (e.g., 1; DROP TABLE users--). Because the keys are inserted as ClickHouse identifiers without escaping, the injected SQL executes in the context of the database query.
Protection from this CVE
Upgrade to OneUptime version 10.0.34 or later. If immediate upgrade is not possible, deploy a Web Application Firewall (WAF) to block requests containing SQL syntax in sort, select, or `groupBy` parameters, and restrict API access to trusted IPs.
Impact
Successful exploitation leads to full database compromise, data exfiltration, potential remote code execution through ClickHouse, and complete loss of confidentiality, integrity, and availability of the monitoring service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

