CVE-2026-34758
Published: 02 April 2026
Summary
CVE-2026-34758 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique SMS Pumping (T1496.003); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification and authorization of actions performable without authentication, preventing unauthenticated access to critical notification and phone management endpoints.
Enforces approved access authorizations, blocking unauthenticated requests to sensitive endpoints that enable SMS/call/email/WhatsApp abuse and phone purchases.
Mandates timely remediation of identified flaws, such as patching OneUptime to version 10.0.42 to fix the missing authentication vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing authentication on notification test and phone number endpoints directly enables unauthenticated abuse of SMS, voice calls, emails, and WhatsApp services, facilitating SMS Pumping for resource hijacking and financial impact.
NVD Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42.
Deeper analysisAI
CVE-2026-34758 is a missing authentication vulnerability (CWE-306) in OneUptime, an open-source monitoring and observability platform. In versions prior to 10.0.42, unauthenticated access to the Notification test and Phone Number management endpoints enables abuse of SMS, calls, emails, and WhatsApp notifications, as well as unauthorized phone number purchases. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity with no privileges or user interaction required.
Unauthenticated attackers with network access can exploit this issue remotely and with low complexity. Exploitation allows arbitrary triggering of costly notification services, including SMS, voice calls, emails, and WhatsApp messages, as well as purchasing phone numbers on behalf of the victim organization, potentially resulting in financial losses, service disruptions, and resource exhaustion.
The vulnerability has been patched in OneUptime version 10.0.42. Administrators should upgrade to this version or later to mitigate the issue. Official resources include the patching commit at https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4, the release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42, and the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp.
Details
- CWE(s)