Auth bypass in Oneuptime

CVE-2026-35053

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowI…

Vulnerability class: Broken Authentication

EPSS: 0.002 (37.7th percentile) — read the EPSS interpretation.

Affected products

Oneuptime — versions < 10.0.42

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6c3w-7xg4-4cf7 (x_refsource_CONFIRM)
https://github.com/OneUptime/oneuptime/releases/tag/10.0.42 (x_refsource_MISC)