CVE-2026-33142

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.34

Description OneUptime, a service monitoring solution, contains a SQL injection issue. Specifically, the toSortStatement, toSelectStatement, and toGroupByStatement methods within the StatementGenerator component do not validate user-supplied object keys before interpolating them as ClickHouse Identifier parameters. This allows an attacker to inject arbitrary SQL code through crafted sort, select, or groupBy keys in API requests. The issue stems from the lack of validation when constructing SQL queries, as ClickHouse Identifier parameters are substituted directly into queries without escaping. This impacts any analytics list or aggregate endpoint backed by BaseAnalyticsAPI.getList() or BaseAnalyticsAPI.getAggregate(), including analytics queries for logs, metrics, spans, and exceptions. The vulnerable parameters are found in the request body, specifically sort, select, and groupBy. The vulnerable methods are toSortStatement(), toSelectStatement(), and toGroupByStatement().

Recommendations Versions prior to 10.0.34 should be updated to version 10.0.34 or later. Add the same getTableColumn() validation already present in toWhereStatement to the three unvalidated methods: toSortStatement, toSelectStatement, and toGroupByStatement. Specifically, within each of these methods, iterate over the keys and verify they correspond to actual model columns using this.model.getTableColumn(key).