GHSA-CW6X-MW64-Q6PV

Vulnerability from github – Published: 2026-03-10 01:15 – Updated: 2026-03-10 18:45
VLAI?
Summary
OneUptime has WhatsApp Resend Verification Authorization Bypass
Details

Description

The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint).

Affected Source

Full Code Lines (UserWhatsAppAPI.ts)

Resend path (authorization gap):

    this.router.post(
      `${new this.entityType()
        .getCrudApiPath()
        ?.toString()}/resend-verification-code`,
      UserMiddleware.getUserMiddleware,
      async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
        try {
          req = req as OneUptimeRequest;

          if (!req.body.itemId) {
            return Response.sendErrorResponse(
              req,
              res,
              new BadDataException("Invalid item ID"),
            );
          }

          await this.service.resendVerificationCode(req.body.itemId);

          return Response.sendEmptySuccessResponse(req, res);
        } catch (err) {
          return next(err);
        }
      },
    );

Verify path (ownership check present):

          if (
            item.userId?.toString() !==
            (req as OneUptimeRequest)?.userAuthorization?.userId?.toString()
          ) {
            return Response.sendErrorResponse(
              req,
              res,
              new BadDataException("Invalid user ID"),
            );
          }

Prerequisites

  • Valid attacker account with access to a project
  • Attacker access token
  • A victim’s UserWhatsApp itemId belonging to the same project

Steps to Reproduce

  1. Set your attacker token:

bash export ATK="Bearer <attacker-access-token>"

  1. Trigger resend for the victim’s item:

bash curl -s -X POST \ -H "Content-Type: application/json" \ -H "Authorization: $ATK" \ -d '{"itemId":"<victim-userwhatsapp-id>"}' \ http://<host>/api/user-whats-app/resend-verification-code

Expected/Observed Behavior

  • HTTP 200 with {} body and a new verification code sent to the victim’s phone
  • No checks confirm that item.userId equals the authenticated user’s ID for the resend path

Impact

  • Spam/DoS against victims’ phone numbers, social engineering pressure, and potential lockout flows due to repeated resends

Recommended Fix

  • Enforce ownership: item.userId must match the authenticated user
  • Add per-item and per-user rate limiting for resends
Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oneuptime/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.0.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30959"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-307",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T01:15:30Z",
    "nvd_published_at": "2026-03-10T18:18:55Z",
    "severity": "MODERATE"
  },
  "details": "### Description  \n  The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any `UserWhatsApp` record by ID. Ownership is not validated (unlike the verify endpoint).\n\n### Affected Source  \n- Endpoint: [UserWhatsAppAPI.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L129-L153)  \n- Service: [UserWhatsAppService.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L129-L153)  \n- Verify ownership (present in verify endpoint for comparison): [UserWhatsAppAPI.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L78-L87)\n\n\n### Full Code Lines (UserWhatsAppAPI.ts)\n\nResend path (authorization gap):\n\n```ts\n    this.router.post(\n      `${new this.entityType()\n        .getCrudApiPath()\n        ?.toString()}/resend-verification-code`,\n      UserMiddleware.getUserMiddleware,\n      async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) =\u003e {\n        try {\n          req = req as OneUptimeRequest;\n\n          if (!req.body.itemId) {\n            return Response.sendErrorResponse(\n              req,\n              res,\n              new BadDataException(\"Invalid item ID\"),\n            );\n          }\n\n          await this.service.resendVerificationCode(req.body.itemId);\n\n          return Response.sendEmptySuccessResponse(req, res);\n        } catch (err) {\n          return next(err);\n        }\n      },\n    );\n```\n\nVerify path (ownership check present):\n\n```ts\n          if (\n            item.userId?.toString() !==\n            (req as OneUptimeRequest)?.userAuthorization?.userId?.toString()\n          ) {\n            return Response.sendErrorResponse(\n              req,\n              res,\n              new BadDataException(\"Invalid user ID\"),\n            );\n          }\n```\n\n## Prerequisites\n- Valid attacker account with access to a project\n- Attacker access token\n- A victim\u2019s `UserWhatsApp` itemId belonging to the same project\n\n## Steps to Reproduce\n1. Set your attacker token:\n\n   ```bash\n   export ATK=\"Bearer \u003cattacker-access-token\u003e\"\n   ```\n\n2. Trigger resend for the victim\u2019s item:\n\n   ```bash\n   curl -s -X POST \\\n     -H \"Content-Type: application/json\" \\\n     -H \"Authorization: $ATK\" \\\n     -d \u0027{\"itemId\":\"\u003cvictim-userwhatsapp-id\u003e\"}\u0027 \\\n     http://\u003chost\u003e/api/user-whats-app/resend-verification-code\n   ```\n\n## Expected/Observed Behavior\n- HTTP 200 with `{}` body and a new verification code sent to the victim\u2019s phone\n- No checks confirm that `item.userId` equals the authenticated user\u2019s ID for the resend path\n\n## Impact\n- Spam/DoS against victims\u2019 phone numbers, social engineering pressure, and potential lockout flows due to repeated resends\n\n## Recommended Fix\n- Enforce ownership: `item.userId` must match the authenticated user\n- Add per-item and per-user rate limiting for resends",
  "id": "GHSA-cw6x-mw64-q6pv",
  "modified": "2026-03-10T18:45:24Z",
  "published": "2026-03-10T01:15:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cw6x-mw64-q6pv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30959"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OneUptime/oneuptime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OneUptime has WhatsApp Resend Verification Authorization Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.