CVE-2026-30959

Name of the Vulnerable Software and Affected Versions OneUptime (affected versions not specified)

Description The 'resend-verification-code' endpoint in OneUptime allows an authenticated user to trigger a verification code resend for any UserWhatsApp record by its itemId. A critical flaw exists because the system does not validate ownership of the UserWhatsApp record before allowing the resend operation, unlike the 'verify' endpoint. This impacts the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service. An attacker with a valid account and access token can exploit this to repeatedly request verification codes for any user's WhatsApp number, potentially leading to spam, denial-of-service, social engineering attacks, or account lockout. The vulnerable API endpoint is /api/user-whats-app/resend-verification-code, which accepts a JSON payload containing the itemId of the target UserWhatsApp record. The vulnerable parameter is itemId.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.