CVE-2026-32306

CRITICAL

OneUptime < 10.0.23 - Authenticated SQL Injection via Telemetry API Parameters

Title source: llm

Description

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35

Scores

CVSS v3 9.9

EPSS 0.0053

EPSS Percentile 67.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (3)

hackerbay/oneuptime < 10.0.23

npm/oneuptime 0 - 10.0.23npm

OneUptime/oneuptime < 10.0.23

Published Mar 13, 2026

Tracked Since Mar 14, 2026