CVE-2026-34758 — AI Deep Analysis Summary

🚨 **Essence**: OneUptime has a critical **Access Control Error**. 📉 **Consequences**: Attackers can abuse notification systems (SMS, Calls, Email, WhatsApp) and buy phone numbers without permission.…

🛡️ **CWE**: CWE-306 (Missing Authentication for Critical Function). 🔍 **Flaw**: The system fails to verify user identity before allowing access to sensitive endpoints. It’s a classic **Broken Access Control** issue.

🏢 **Vendor**: OneUptime. 📦 **Product**: OneUptime (Open Source Monitoring Solution). ⚠️ **Affected Versions**: All versions **prior to 10.0.42**. If you are running 10.0.41 or lower, you are vulnerable.

🕵️ **Privileges**: None required (Unauthenticated). 📤 **Data/Actions**: Hackers can trigger notifications via SMS, Voice, Email, and WhatsApp. They can also **purchase phone numbers** using your account credits.…

🔓 **Threshold**: **LOW**. 🚫 **Auth**: No authentication needed. 🌐 **Network**: Remote (AV:N). ⚡ **Complexity**: Low (AC:L). Any anonymous user on the internet can exploit this easily.

🧪 **Public Exp?**: No specific PoC code provided in the data. 📢 **Status**: Confirmed via GitHub Security Advisory (GHSA-q253-6wcm-h8hp).…

🔍 **Self-Check**: Try accessing notification test endpoints and phone number management URLs directly. 🚫 If you get a response without logging in, you are vulnerable.…

✅ **Fixed**: Yes! 📦 **Patch**: Upgrade to **Version 10.0.42** or later. 🔗 **Source**: Official GitHub Release and Security Advisory. This is the definitive fix.

🛑 **Workaround**: If you cannot upgrade immediately, **block external access** to notification and phone management endpoints via firewall/WAF. 🚫 Restrict these API routes to internal IPs only until patched.

🔥 **Urgency**: **HIGH**. 📈 **CVSS**: 9.1 (Critical). 🚨 **Priority**: Patch immediately. The ability to buy phone numbers and send spam notifications without auth is a severe risk to your wallet and reputation.