{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/unauthenticated-access/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-34758"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","vulnerability","oneuptime","unauthenticated-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOneUptime, an open-source monitoring and observability platform, is susceptible to a critical vulnerability (CVE-2026-34758) affecting versions prior to 10.0.42. This vulnerability stems from the lack of authentication on critical Notification test and Phone Number management endpoints. Exploitation of this flaw could enable attackers to abuse SMS, call, email, and WhatsApp functionalities, potentially sending unsolicited messages or incurring costs for the affected organization. Furthermore, the vulnerability permits unauthorized phone number purchases, leading to financial and reputational damage. The vulnerability was reported on April 2, 2026, and patched in version 10.0.42. Organizations using affected versions of OneUptime should upgrade immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OneUptime instance running a version prior to 10.0.42.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the unauthenticated Notification test endpoint (e.g., \u003ccode\u003e/api/notification/test\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary parameters into the request to control the SMS, Call, Email, or WhatsApp message content and recipients.\u003c/li\u003e\n\u003cli\u003eThe OneUptime server processes the request without authentication, triggering the sending of attacker-controlled messages.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the unauthenticated Phone Number management endpoint (e.g., \u003ccode\u003e/api/phone-number/purchase\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker provides details for a phone number purchase.\u003c/li\u003e\n\u003cli\u003eThe OneUptime server processes the request without authentication, initiating a phone number purchase, potentially incurring financial charges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the purchased phone number for malicious activities, such as phishing or social engineering attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34758 can lead to significant repercussions. Attackers can abuse messaging services, sending spam, phishing links, or malicious content via SMS, email, and WhatsApp, impacting potentially thousands of users. Furthermore, unauthorized phone number purchases can result in unexpected financial costs and create opportunities for attackers to conduct further malicious activities, damaging the organization\u0026rsquo;s reputation and potentially leading to legal liabilities. The vulnerable versions of OneUptime expose organizations to significant risk until upgraded to version 10.0.42 or later.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade OneUptime installations to version 10.0.42 or later to patch CVE-2026-34758.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/api/notification/test\u003c/code\u003e and \u003ccode\u003e/api/phone-number/purchase\u003c/code\u003e endpoints, as described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated OneUptime Notification Test Access\u0026rdquo; to identify potential exploitation attempts in real-time.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated OneUptime Phone Number Purchase Access\u0026rdquo; to identify potential exploitation attempts in real-time.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T19:21:33Z","date_published":"2026-04-02T19:21:33Z","id":"/briefs/2026-04-oneuptime-rce/","summary":"OneUptime versions prior to 10.0.42 are vulnerable to unauthenticated access to Notification test and Phone Number management endpoints, leading to potential abuse of SMS, Call, Email, and WhatsApp functionalities, and unauthorized phone number purchases, fixed in version 10.0.42.","title":"OneUptime Unauthenticated Endpoint Access Vulnerability (CVE-2026-34758)","url":"https://feed.craftedsignal.io/briefs/2026-04-oneuptime-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Unauthenticated-Access","version":"https://jsonfeed.org/version/1.1"}