CVE-2026-33142
Published: 20 March 2026
Summary
CVE-2026-33142 is a high-severity SQL Injection (CWE-89) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-controlled object keys from API requests before interpolating them as ClickHouse Identifier parameters into SQL queries, directly preventing SQL injection.
Mandates timely identification, reporting, and correction of flaws like this SQL injection vulnerability through patching, as demonstrated by the fix in version 10.0.34.
Enables vulnerability scanning to identify SQL injection flaws in the StatementGenerator methods, facilitating proactive remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing OneUptime analytics API endpoints (sort/select/groupBy parameters) directly enables remote exploitation of a web application to execute arbitrary database queries.
NVD Description
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation…
more
to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns. ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted sort, select, or groupBy keys. This issue has been patched in version 10.0.34.
Deeper analysisAI
CVE-2026-33142 is a SQL injection vulnerability (CWE-89) in OneUptime, an open-source solution for monitoring and managing online services. Affecting versions prior to 10.0.34, the flaw exists in the StatementGenerator component's toSortStatement, toSelectStatement, and toGroupByStatement methods. These methods accept user-controlled object keys from API request bodies—intended for sort, select, or groupBy parameters—and interpolate them directly as unescaped ClickHouse Identifier parameters into SQL queries, bypassing column name validation. This issue follows a partial fix for CVE-2026-32306, which secured the _aggregateBy method but overlooked these three query construction paths. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Attackers with low privileges, such as authenticated users, can exploit this remotely over the network by sending crafted API requests to any analytics list or aggregate endpoint. By injecting malicious keys into sort, select, or groupBy objects, they can execute arbitrary SQL in ClickHouse, enabling high-impact confidentiality and integrity violations like data exfiltration or unauthorized modifications.
OneUptime has patched the issue in version 10.0.34 by applying proper validation to the affected methods. Additional mitigation details are available in the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gcg3-c5p2-cqgg.
Details
- CWE(s)