Cyber Resilience

CVE-2026-34758

CriticalPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0035 26.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34758 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique SMS Pumping (T1496.003); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-34758 is a missing authentication vulnerability (CWE-306) in OneUptime, an open-source monitoring and observability platform. In versions prior to 10.0.42, unauthenticated access to the Notification test and Phone Number management endpoints enables abuse of SMS, calls, emails, and WhatsApp notifications, as well as unauthorized phone number purchases. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity with no privileges or user interaction required.

Unauthenticated attackers with network access can exploit this issue remotely and with low complexity. Exploitation allows arbitrary triggering of costly notification services, including SMS, voice calls, emails, and WhatsApp messages, as well as purchasing phone numbers on behalf of the victim organization, potentially resulting in financial losses, service disruptions, and resource exhaustion.

The vulnerability has been patched in OneUptime version 10.0.42. Administrators should upgrade to this version or later to mitigate the issue. Official resources include the patching commit at https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4, the release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42, and the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1496.003 SMS Pumping Impact
Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.
Why these techniques?

The missing authentication on notification test and phone number endpoints directly enables unauthenticated abuse of SMS, voice calls, emails, and WhatsApp services, facilitating SMS Pumping for resource hijacking and financial impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35053Same product: Hackerbay Oneuptime
CVE-2026-30957Same product: Hackerbay Oneuptime
CVE-2026-30958Same product: Hackerbay Oneuptime
CVE-2026-33396Same product: Hackerbay Oneuptime
CVE-2026-30921Same product: Hackerbay Oneuptime
CVE-2026-30920Same product: Hackerbay Oneuptime
CVE-2026-34840Same product: Hackerbay Oneuptime
CVE-2026-32306Same product: Hackerbay Oneuptime
CVE-2026-27574Same product: Hackerbay Oneuptime
CVE-2026-32308Same product: Hackerbay Oneuptime

Affected Assets

hackerbay
oneuptime
≤ 10.0.40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification and authorization of actions performable without authentication, preventing unauthenticated access to critical notification and phone management endpoints.

prevent

Enforces approved access authorizations, blocking unauthenticated requests to sensitive endpoints that enable SMS/call/email/WhatsApp abuse and phone purchases.

prevent

Mandates timely remediation of identified flaws, such as patching OneUptime to version 10.0.42 to fix the missing authentication vulnerability.

References