Auth bypass in Oneuptime

CVE-2026-34759

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use C…

Vulnerability class: Broken Access Control

EPSS: 0.004 (59.3th percentile) — read the EPSS interpretation.

Affected products

Oneuptime — versions < 10.0.42

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6wc5-rhvj-cx7f (x_refsource_CONFIRM)
https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4 (x_refsource_MISC)
https://github.com/OneUptime/oneuptime/releases/tag/10.0.42 (x_refsource_MISC)