CVE-2026-34759

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.42

Description OneUptime, an open-source monitoring and observability platform, had multiple notification API endpoints registered without authentication middleware. This allowed an unauthenticated attacker to potentially purchase phone numbers on a victim's Twilio account and delete existing alerting numbers. The issue stemmed from a missing authentication check in the /notification/ endpoints, while other endpoints correctly used authentication. A projectId leak from the public Status Page API contributed to the exploitability.

Recommendations Update to version 10.0.42 or later.