FKIE_CVE-2026-33142

Vulnerability from fkie_nvd - Published: 2026-03-20 21:17 - Updated: 2026-03-23 20:34
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns. ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted sort, select, or groupBy keys. This issue has been patched in version 10.0.34.
References
security-advisories@github.comhttps://github.com/OneUptime/oneuptime/security/advisories/GHSA-gcg3-c5p2-cqggMitigation, Vendor Advisory
Impacted products
Vendor Product Version
hackerbay oneuptime *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9A7D117-1577-4F24-BE5F-0E23A8A0BF3E",
              "versionEndExcluding": "10.0.34",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns. ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted sort, select, or groupBy keys. This issue has been patched in version 10.0.34."
    },
    {
      "lang": "es",
      "value": "OneUptime es una soluci\u00f3n para monitorear y gestionar servicios en l\u00ednea. Antes de la versi\u00f3n 10.0.34, la correcci\u00f3n para CVE-2026-32306 (inyecci\u00f3n SQL de ClickHouse a trav\u00e9s de par\u00e1metros de consulta agregados) a\u00f1adi\u00f3 validaci\u00f3n de nombres de columna al m\u00e9todo _aggregateBy pero no aplic\u00f3 la misma validaci\u00f3n a otras tres rutas de construcci\u00f3n de consultas en StatementGenerator. Los m\u00e9todos toSortStatement, toSelectStatement y toGroupByStatement aceptan claves de objeto controladas por el usuario de cuerpos de solicitud de API y los interpolan como par\u00e1metros de identificador de ClickHouse sin verificar que correspondan a columnas de modelo reales. Los par\u00e1metros de identificador de ClickHouse se sustituyen directamente en las consultas sin escape, por lo que un atacante que pueda alcanzar cualquier lista de an\u00e1lisis o punto final agregado puede inyectar SQL arbitrario a trav\u00e9s de claves de ordenaci\u00f3n, selecci\u00f3n o agrupaci\u00f3n manipuladas. Este problema ha sido parcheado en la versi\u00f3n 10.0.34."
    }
  ],
  "id": "CVE-2026-33142",
  "lastModified": "2026-03-23T20:34:10.660",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T21:17:14.770",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gcg3-c5p2-cqgg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.