CVE-2026-32306

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.23

Description OneUptime’s telemetry aggregation API is susceptible to SQL injection due to the direct interpolation of user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters into ClickHouse SQL queries using the .append() method. This method is documented as accepting "trusted SQL" without any input validation, allowlist, or parameterized query binding. An authenticated user can exploit this to inject arbitrary SQL code into ClickHouse, potentially leading to full database read access (including telemetry data from all tenants), data modification, and remote code execution via ClickHouse table functions. The API endpoints involved are POST /{modelName}/aggregate, specifically utilizing the aggregateBy parameter. The vulnerability resides in the Common/Server/API/BaseAnalyticsAPI.ts and Common/Server/Services/AnalyticsDatabaseService.ts files. The attack flow involves sending a crafted POST request to the API endpoint with a malicious payload in the aggregateBy parameter, which is then directly concatenated into the SQL query. This allows an attacker to execute arbitrary SQL commands within the ClickHouse database.

Recommendations Versions prior to 10.0.23 should be updated to version 10.0.23 or later.