CVE-2026-32598

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.24

Description OneUptime, a service for monitoring and managing online services, has an issue in its password reset process. Before version 10.0.24, the complete password reset URL, including the plaintext reset token, was logged at the INFO level. This logging level is enabled by default in production environments. Anyone with access to application logs—such as those from log aggregation systems, Docker, or Kubernetes—could potentially intercept these tokens and take over user accounts. The vulnerable code is located in App/FeatureSet/Identity/API/Authentication.ts lines 370-371, where the tokenVerifyUrl is logged. Additionally, login request data, including cleartext passwords, is logged at the DEBUG level on line 909. The tokenVerifyUrl takes the form of a complete URL like https://app.oneuptime.com/accounts/reset-password/<plaintext-token>. This issue allows for account takeover due to the systematic logging of every password reset request, potentially exposing all password reset tokens to individuals with log reader access.

Recommendations Versions prior to 10.0.24 should be updated to version 10.0.24 or later.