CVE-2026-30920: OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
(updated )
OneUptime’s GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project’s GitHub App installation binding.
Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project.
References
- github.com/OneUptime/oneuptime
- github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts
- github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts
- github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts
- github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts
- github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts
- github.com/OneUptime/oneuptime/blob/master/Common/Server/Middleware/UserAuthorization.ts
- github.com/OneUptime/oneuptime/blob/master/Common/Server/Utils/CodeRepository/GitHub/GitHub.ts
- github.com/OneUptime/oneuptime/security/advisories/GHSA-656w-6f6c-m9r6
- github.com/advisories/GHSA-656w-6f6c-m9r6
- nvd.nist.gov/vuln/detail/CVE-2026-30920
Code Behaviors & Features
Detect and mitigate CVE-2026-30920 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →