CVE-2026-34759
Published: 02 April 2026
Summary
CVE-2026-34759 is a high-severity Missing Authorization (CWE-862) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations on all API endpoints, directly preventing unauthenticated access to notification APIs that allow Twilio account manipulation.
AC-14 mandates identification and documentation of actions permitted without authentication, ensuring sensitive notification endpoints like those under /notification/ are not exposed without middleware.
SC-14 implements security safeguards for publicly accessible system resources, protecting externally reachable notification APIs via Nginx proxy from unauthorized exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on externally reachable public-facing API endpoints enables unauthenticated remote exploitation for unauthorized actions, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy…
more
at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.
Deeper analysisAI
CVE-2026-34759 is a missing authorization vulnerability (CWE-862) in OneUptime, an open-source monitoring and observability platform. In versions prior to 10.0.42, multiple notification API endpoints lack authentication middleware, even though sibling endpoints in the same codebase correctly implement ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These unprotected endpoints are externally reachable through the Nginx proxy at /notification/.
An unauthenticated attacker can exploit this vulnerability over the network by first obtaining a projectId leaked from the public Status Page API. With this information, the attacker can then purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers, leading to high impacts on confidentiality, integrity, and availability. The CVSS v3.1 base score is 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting the high severity despite the somewhat complex attack requirements.
The issue was patched in OneUptime version 10.0.42. Mitigation details are provided in the GitHub security advisory (GHSA-6wc5-rhvj-cx7f), the release notes for version 10.0.42, and the fixing commit 9adbd04538714740506708d6fa610e433be4d2a4.
Details
- CWE(s)