CVE-2026-30920

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.19

Description OneUptime’s GitHub App callback does not properly validate the state and installation id values received from a user, allowing an attacker to overwrite another project's GitHub App installation binding. The callback decodes base64 JSON from the state parameter and uses the embedded projectId directly. It then updates the Project.gitHubAppInstallationId with isRoot: true without verifying the caller's authorization for the target project. Related GitHub endpoints also lack effective authorization, enabling a valid installation ID to be used to enumerate repositories and create CodeRepository records in an arbitrary project. The vulnerable API endpoints include: /api/github/auth/callback, /api/github/repositories, and /api/github/connect. The state and installation id parameters are vulnerable.

Recommendations Versions prior to 10.0.19 should be updated to version 10.0.19 or later.