Unauthenticated-Access — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/unauthenticated-access/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 02 Apr 2026 19:21:33 +0000OneUptime Unauthenticated Endpoint Access Vulnerability (CVE-2026-34758)https://feed.craftedsignal.io/briefs/2026-04-oneuptime-rce/Thu, 02 Apr 2026 19:21:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-oneuptime-rce/OneUptime versions prior to 10.0.42 are vulnerable to unauthenticated access to Notification test and Phone Number management endpoints, leading to potential abuse of SMS, Call, Email, and WhatsApp functionalities, and unauthorized phone number purchases, fixed in version 10.0.42.OneUptime, an open-source monitoring and observability platform, is susceptible to a critical vulnerability (CVE-2026-34758) affecting versions prior to 10.0.42. This vulnerability stems from the lack of authentication on critical Notification test and Phone Number management endpoints. Exploitation of this flaw could enable attackers to abuse SMS, call, email, and WhatsApp functionalities, potentially sending unsolicited messages or incurring costs for the affected organization. Furthermore, the vulnerability permits unauthorized phone number purchases, leading to financial and reputational damage. The vulnerability was reported on April 2, 2026, and patched in version 10.0.42. Organizations using affected versions of OneUptime should upgrade immediately.

Attack Chain

  1. The attacker identifies a vulnerable OneUptime instance running a version prior to 10.0.42.
  2. The attacker crafts a malicious HTTP request targeting the unauthenticated Notification test endpoint (e.g., /api/notification/test).
  3. The attacker injects arbitrary parameters into the request to control the SMS, Call, Email, or WhatsApp message content and recipients.
  4. The OneUptime server processes the request without authentication, triggering the sending of attacker-controlled messages.
  5. The attacker crafts a malicious HTTP request targeting the unauthenticated Phone Number management endpoint (e.g., /api/phone-number/purchase).
  6. The attacker provides details for a phone number purchase.
  7. The OneUptime server processes the request without authentication, initiating a phone number purchase, potentially incurring financial charges.
  8. The attacker leverages the purchased phone number for malicious activities, such as phishing or social engineering attacks.

Impact

Successful exploitation of CVE-2026-34758 can lead to significant repercussions. Attackers can abuse messaging services, sending spam, phishing links, or malicious content via SMS, email, and WhatsApp, impacting potentially thousands of users. Furthermore, unauthorized phone number purchases can result in unexpected financial costs and create opportunities for attackers to conduct further malicious activities, damaging the organization’s reputation and potentially leading to legal liabilities. The vulnerable versions of OneUptime expose organizations to significant risk until upgraded to version 10.0.42 or later.

Recommendation

  • Immediately upgrade OneUptime installations to version 10.0.42 or later to patch CVE-2026-34758.
  • Monitor web server logs for suspicious requests to the /api/notification/test and /api/phone-number/purchase endpoints, as described in the Attack Chain.
  • Deploy the Sigma rule “Detect Unauthenticated OneUptime Notification Test Access” to identify potential exploitation attempts in real-time.
  • Deploy the Sigma rule “Detect Unauthenticated OneUptime Phone Number Purchase Access” to identify potential exploitation attempts in real-time.
]]>criticaladvisorycvevulnerabilityoneuptimeunauthenticated-access