Security Flaw in OneUptime's GitHub App Impacting Project Data Management
CVE-2026-30920

8.6HIGH

Key Information:

Vendor: Oneuptime
Status: Oneuptime
Vendor: CVE Published:; 9 March 2026

What is CVE-2026-30920?

OneUptime, a service for monitoring online services, contains a vulnerability where its GitHub App callback improperly trusts values from attacker-controlled sources. Without adequate validation of authorization, this allows unauthorized users to modify Project.gitHubAppInstallationId with isRoot: true, leading to unauthorized overwrites of Project bindings. Furthermore, certain GitHub endpoints do not enforce strong authorization, enabling an attacker to manipulate installation IDs, enumerate repositories, and create CodeRepository records across different projects, potentially leading to significant security risks.

Affected Version(s)

oneuptime < 10.0.19

References

https://github.com/OneUptime/oneuptime/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2026
Vulnerability Reserved
Mar 7, 2026

CVE-2026-30920 Data

JSON

Oneuptime

What is CVE-2026-30920?

Affected Version(s)

References

CVSS V3.1

Timeline