CVE-2026-30956
Published: 10 March 2026
Summary
CVE-2026-30956 is a critical-severity Improper Authorization (CWE-285) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for logical access, directly preventing bypasses of permission checks and tenant scoping via forged client-supplied headers.
SI-10 requires validation of all information inputs, including untrusted headers like is-multi-tenant-query and projectid, to block exploitation through forged values.
AC-4 enforces approved information flow policies to maintain tenant isolation and prevent cross-tenant data access and account takeover.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing web app directly enables exploitation for privilege escalation (T1068), valid account abuse/takeover (T1078), account manipulation via password reset (T1098), public app exploitation (T1190), and unsecured credential exposure (T1552).
NVD Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because…
more
the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully take over the account. This results in cross‑tenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21.
Deeper analysisAI
CVE-2026-30956 is an authorization bypass and tenant isolation vulnerability affecting OneUptime, an open-source solution for monitoring and managing online services. In versions 10.0.20 and earlier, the server trusts client-supplied headers, specifically a forged "is-multi-tenant-query" header combined with a controlled "projectid" header. This skips internal permission checks in the BasePermission component and disables tenant scoping, leading to improper access control (CWE-285) and missing authorization (CWE-862). The issue has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A low-privileged user within OneUptime can exploit this remotely over the network with low complexity and no user interaction required. By crafting and sending the malicious headers, the attacker bypasses tenant boundaries to access project data from other tenants, read sensitive User fields through nested relations, leak plaintext resetPasswordToken values, reset victims' passwords, and achieve full account takeover. This enables cross-tenant data exposure and complete compromise of targeted accounts.
The vulnerability is fixed in OneUptime version 10.0.21, as detailed in the project's GitHub release notes (https://github.com/OneUptime/oneuptime/releases/tag/10.0.21) and security advisory (https://github.com/OneUptime/oneuptime/security/advisories/GHSA-r5v6-2599-9g3m). Security practitioners should upgrade to 10.0.21 or later to mitigate the risks.
Details
- CWE(s)