CVE-2026-32306 in oneuptime
Summary
by MITRE • 03/13/2026
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-32306 affects OneUptime monitoring solution versions prior to 10.0.23, presenting a critical SQL injection flaw within the telemetry aggregation API. This vulnerability stems from improper input handling mechanisms that allow authenticated users to manipulate database queries through specifically crafted parameters. The affected API endpoint processes user-controlled inputs including aggregationType, aggregateColumnName, and aggregationTimestampColumnName without any sanitization or validation measures, creating a direct path for malicious SQL injection attacks. The implementation utilizes the .append() method for SQL query construction, which is documented as "trusted SQL" but lacks proper security controls that would normally prevent such injection vectors.
The technical flaw manifests as a classic SQL injection vulnerability where user-supplied parameters are directly concatenated into ClickHouse SQL queries without any form of parameterized queries or input filtering. This design pattern violates fundamental security principles and creates an environment where attackers can manipulate the execution flow of database operations. The vulnerability is classified under CWE-89 which specifically addresses SQL injection flaws, and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation. The absence of allowlists, parameterized query binding, and input validation creates a comprehensive attack surface that enables full database compromise.
Operationally, this vulnerability exposes organizations to severe data breaches and system compromise. An authenticated attacker can extract all telemetry data from every tenant within the system, potentially accessing sensitive operational information, system metrics, and monitoring data that could reveal critical infrastructure details. The attack vector extends beyond simple data exfiltration to include data modification capabilities, allowing attackers to alter monitoring records and potentially corrupt system integrity. The most concerning aspect involves the potential for remote code execution through ClickHouse table functions, which could enable attackers to execute arbitrary commands on the database server. This escalation capability transforms the vulnerability from a data breach risk into a full system compromise threat, aligning with ATT&CK technique T1059.006 for command and script injection.
The remediation for CVE-2026-32306 requires immediate upgrade to OneUptime version 10.0.23, which implements proper input validation and parameterized query handling. Security measures should include implementing allowlists for accepted parameter values, utilizing parameterized queries or prepared statements for all database interactions, and conducting comprehensive input sanitization. Organizations should also implement network segmentation to limit access to telemetry APIs and establish monitoring for anomalous query patterns. The fix addresses the root cause by eliminating the direct string concatenation approach and replacing it with secure database interaction patterns that prevent SQL injection attacks. Regular security assessments and input validation reviews should be implemented to prevent similar vulnerabilities in other components of the monitoring infrastructure, ensuring compliance with industry standards for secure coding practices and database security controls.