CVE-2026-30956: OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover
A low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 by sending a forged is-multi-tenant-query header together with a controlled projectid header.
Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled.
This allows attackers to:
- Access project data belonging to other tenants
- Read sensitive User fields via nested relations
- Leak plaintext resetPasswordToken
- Reset the victim’s password and fully take over the account
This results in cross‑tenant data exposure and full account takeover.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-30956 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →