CVE-2026-30959: OneUptime has WhatsApp Resend Verification Authorization Bypass

March 10, 2026

The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint).

References

github.com/OneUptime/oneuptime
github.com/OneUptime/oneuptime/releases/tag/10.0.21
github.com/OneUptime/oneuptime/security/advisories/GHSA-cw6x-mw64-q6pv
github.com/advisories/GHSA-cw6x-mw64-q6pv
nvd.nist.gov/vuln/detail/CVE-2026-30959

Code Behaviors & Features

Detect and mitigate CVE-2026-30959 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →