CVE-2026-30920
Published: 10 March 2026
Summary
CVE-2026-30920 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces authorization checks on GitHub App callbacks and endpoints to prevent unauthorized overwrites of project installation bindings and creation of records in arbitrary projects.
Validates attacker-controlled state and installation_id inputs in the callback to block malicious updates without proper authorization.
Applies least privilege to restrict modifications of GitHub App installations and repository records to only authorized project owners.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated authz bypass in public-facing OneUptime web app directly enables T1190; allows unauthorized repo enumeration via installation IDs (T1213.003) and arbitrary CodeRepository record creation (T1565.001).
NVD Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project.…
more
This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19.
Deeper analysisAI
CVE-2026-30920 is a vulnerability in OneUptime, a solution for monitoring and managing online services, affecting versions prior to 10.0.19. The issue lies in OneUptime's GitHub App callback, which trusts attacker-controlled state and installation_id values to update Project.gitHubAppInstallationId with isRoot: true without validating the caller's authorization for the target project. This allows overwriting another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, enabling the use of a valid installation ID to enumerate repositories and create CodeRepository records in an arbitrary project. The vulnerability carries a CVSS score of 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) and maps to CWEs 345, 639, and 862.
Unauthenticated attackers can exploit this remotely with low attack complexity and no user interaction required. By controlling the state and installation_id parameters in the callback, they can overwrite GitHub App installation bindings for projects they do not own, potentially disrupting service integrations. Additionally, using a valid installation ID on poorly authorized endpoints, attackers can enumerate repositories and inject CodeRepository records into arbitrary projects, leading to unauthorized data creation and exposure within OneUptime instances.
The vulnerability is addressed in OneUptime version 10.0.19. Security practitioners should upgrade to this version for remediation. Further details on the fix and mitigation are available in the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-656w-6f6c-m9r6.
Details
- CWE(s)