GHSA-656W-6F6C-M9R6

Vulnerability from github – Published: 2026-03-09 17:29 – Updated: 2026-03-10 18:44
VLAI?
Summary
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
Details

Summary

OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding.

Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project.

Details

The callback decodes unsigned base64 JSON from state and uses the embedded projectId directly:

  • https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L34-L112

It then writes the supplied installation_id into the target project with root privileges:

await ProjectService.updateOneById({
  id: new ObjectID(projectId),
  data: { gitHubAppInstallationId: installationId },
  props: { isRoot: true },
});

The userId in state is only checked for presence, not authenticity:

  • https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L73-L79

The install flow also generates state as plain base64 JSON, not a signed or session-bound token:

  • https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L127-L165

The follow-on endpoints are also vulnerable:

  • Repository listing: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L179-L258
  • Repository connect: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L260-L356
  • Middleware allows requests with no token to continue as Public: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Middleware/UserAuthorization.ts#L205-L211
  • Installation tokens are minted from any valid installation ID: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Utils/CodeRepository/GitHub/GitHub.ts#L347-L425

PoC

Minimal proof of unauthorized project tampering:

STATE=$(printf '%s' '{"projectId":"<victim-project-uuid>","userId":"x"}' | base64 | tr -d '\n')
curl -isk "https://<host>/api/github/auth/callback?installation_id=999999999&state=${STATE}"

Expected result:

  • Server returns a 302 redirect to /dashboard/<victim-project-uuid>/code-repository?installation_id=999999999
  • The target project's gitHubAppInstallationId is overwritten

Impact

  • Unauthorized modification of Project.gitHubAppInstallationId
  • Temporary GitHub integration breakage if a bogus installation ID is set
  • Cross-project binding of attacker-controlled GitHub App installations
  • Repository metadata disclosure for a supplied valid installation ID
  • Unauthorized creation of CodeRepository records in arbitrary projects
Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oneuptime/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.0.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T17:29:47Z",
    "nvd_published_at": "2026-03-10T17:40:16Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nOneUptime\u0027s GitHub App callback trusts attacker-controlled `state` and `installation_id` values and updates `Project.gitHubAppInstallationId` with `isRoot: true` without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project\u0027s GitHub App installation binding.\n\nRelated GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create `CodeRepository` records in an arbitrary project.\n\n### Details\n\nThe callback decodes unsigned base64 JSON from `state` and uses the embedded `projectId` directly:\n\n- https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L34-L112\n\nIt then writes the supplied `installation_id` into the target project with root privileges:\n\n```ts\nawait ProjectService.updateOneById({\n  id: new ObjectID(projectId),\n  data: { gitHubAppInstallationId: installationId },\n  props: { isRoot: true },\n});\n```\n\nThe `userId` in `state` is only checked for presence, not authenticity:\n\n- https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L73-L79\n\nThe install flow also generates `state` as plain base64 JSON, not a signed or session-bound token:\n\n- https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L127-L165\n\nThe follow-on endpoints are also vulnerable:\n\n- Repository listing: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L179-L258\n- Repository connect: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L260-L356\n- Middleware allows requests with no token to continue as `Public`: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Middleware/UserAuthorization.ts#L205-L211\n- Installation tokens are minted from any valid installation ID: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Utils/CodeRepository/GitHub/GitHub.ts#L347-L425\n\n### PoC\n\nMinimal proof of unauthorized project tampering:\n\n```bash\nSTATE=$(printf \u0027%s\u0027 \u0027{\"projectId\":\"\u003cvictim-project-uuid\u003e\",\"userId\":\"x\"}\u0027 | base64 | tr -d \u0027\\n\u0027)\ncurl -isk \"https://\u003chost\u003e/api/github/auth/callback?installation_id=999999999\u0026state=${STATE}\"\n```\n\nExpected result:\n\n- Server returns a `302` redirect to `/dashboard/\u003cvictim-project-uuid\u003e/code-repository?installation_id=999999999`\n- The target project\u0027s `gitHubAppInstallationId` is overwritten\n\n### Impact\n\n- Unauthorized modification of `Project.gitHubAppInstallationId`\n- Temporary GitHub integration breakage if a bogus installation ID is set\n- Cross-project binding of attacker-controlled GitHub App installations\n- Repository metadata disclosure for a supplied valid installation ID\n- Unauthorized creation of `CodeRepository` records in arbitrary projects",
  "id": "GHSA-656w-6f6c-m9r6",
  "modified": "2026-03-10T18:44:14Z",
  "published": "2026-03-09T17:29:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-656w-6f6c-m9r6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30920"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OneUptime/oneuptime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L127-L165"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L179-L258"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L260-L356"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L34-L112"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L73-L79"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Middleware/UserAuthorization.ts#L205-L211"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Utils/CodeRepository/GitHub/GitHub.ts#L347-L425"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.