Auth bypass in Oneuptime

CVE-2026-30959

OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (u…

EPSS: 0.000 (5.6th percentile) — read the EPSS interpretation.

Affected products

Oneuptime — versions < 10.0.21

Weakness classification (CWE)

References

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cw6x-mw64-q6pv (x_refsource_CONFIRM)
https://github.com/OneUptime/oneuptime/releases/tag/10.0.21 (x_refsource_MISC)