CVE-2026-30956 in oneuptime
Summary
by MITRE • 03/10/2026
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully take over the account. This results in cross‑tenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability identified as CVE-2026-30956 affects OneUptime v10.0.20 and earlier versions, representing a critical authorization bypass flaw that undermines the fundamental security model of the platform. This issue stems from improper validation of client-supplied headers within the application's permission system, specifically targeting the BasePermission component that governs access controls and tenant isolation mechanisms. The vulnerability exists in the server-side logic that processes requests containing forged is-multi-tenant-query headers, which are typically used to determine whether the application should operate in multi-tenant mode. When these headers are manipulated by low-privileged users, they effectively disable the internal permission checks that should normally enforce strict tenant boundaries and access controls.
The technical implementation of this vulnerability exploits a trust relationship between client and server that should never exist in properly secured applications. The forged is-multi-tenant-query header, when combined with a controlled projectid header, allows attackers to bypass the authorization checks that should normally validate user permissions against specific projects and tenants. This flaw falls under CWE-285: Improper Authorization, which specifically addresses situations where applications fail to properly verify that authenticated users are authorized to perform requested operations. The vulnerability demonstrates a classic case of insecure direct object reference where the application trusts user input to determine access levels, creating a path for unauthorized data access and privilege escalation.
The operational impact of this vulnerability extends far beyond simple data exposure, as it enables full account takeover capabilities that can result in complete compromise of user accounts and sensitive information. Attackers can leverage this vulnerability to access project data belonging to other tenants, which violates fundamental multi-tenant security principles and creates cross-tenant data leakage scenarios. The vulnerability also exposes sensitive user fields through nested relations, including plaintext resetPasswordToken values that should never be accessible to unauthorized parties. This exposure creates additional attack vectors where attackers can reset victim passwords and fully assume control of compromised accounts, making this a particularly dangerous vulnerability from both a data protection and account security perspective. The impact aligns with ATT&CK technique T1531: Account Access Removal and T1078: Valid Accounts, as attackers can both gain unauthorized access and maintain persistent control over compromised user accounts.
The mitigation for this vulnerability requires immediate deployment of OneUptime version 10.0.21, which implements proper validation of tenant headers and enforcement of authorization checks. Security measures should include implementing robust input validation for all headers that influence authorization decisions, ensuring that server-side logic does not trust client-supplied values for determining access controls, and implementing proper tenant scoping mechanisms that cannot be bypassed through header manipulation. Organizations should also conduct comprehensive security reviews of all authorization logic within their applications to identify similar trust relationships that could be exploited, and implement monitoring for unusual header patterns that might indicate exploitation attempts. The fix addresses the root cause by removing the trust relationship between client headers and server-side permission decisions, ensuring that all access controls are enforced through proper authentication and authorization mechanisms rather than potentially manipulated client inputs.