CVE-2026-30959

Summary

OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service.

Affected Software

VendorProductVersion RangeStatus
OneUptimeoneuptime< 10.0.21affected

Weaknesses

  • CWE-285: CWE-285: Improper Authorization
  • CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts
  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key
  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

Additional References

References