CVE-2026-30956

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.21

Description A low-privileged user can bypass authorization and tenant isolation in OneUptime by sending a forged is-multi-tenant-query header along with a controlled projectid header. The server incorrectly trusts this client-supplied header, skipping internal permission checks in BasePermission and disabling tenant scoping. This allows attackers to access project data belonging to other tenants, read sensitive User fields (including password, resetPasswordToken, and webauthnChallenge) via nested relations, leak plaintext resetPasswordToken, and ultimately reset the victim’s password, leading to full account takeover. The vulnerability stems from the system trusting a client-controlled header to determine whether to bypass authorization checks. The createdByUser relation within the Project model allows access to sensitive user data when select permission checks are bypassed. The reset token is stored in plaintext in the database and can be used to reset the victim’s password.

Recommendations Versions prior to 10.0.21 should be updated to version 10.0.21 or later.