CVE-2026-34758 CRITICAL

CVE-2026-34758: OneUptime: Missing Authentication on Notification Endpoints

Vendor Oneuptime
Product oneuptime
Weakness CWE-306 · Missing auth
Published April 2, 2026
Last update April 3, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42.

Key dates

02Disclosure timeline

April 2, 2026 CVE published
April 3, 2026 Record updated