GHSA-675q-66gf-gqg8: OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation

November 25, 2025

During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, a user is able to gain access to the admin dashboard interface. However, despite accessing the admin panel, the user does not have sufficient permissions to view or interact with actual data.

References

github.com/OneUptime/oneuptime
github.com/OneUptime/oneuptime/commit/3e72b2a9a4f50f98cf1f6cf13fa3e405715bb370
github.com/OneUptime/oneuptime/security/advisories/GHSA-675q-66gf-gqg8
github.com/advisories/GHSA-675q-66gf-gqg8

Code Behaviors & Features

Detect and mitigate GHSA-675q-66gf-gqg8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →