Vulnerability Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hackerbay | Oneuptime | < 10.0.23 |
Related Weaknesses (CWE)
References
- https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-32306?
CVE-2026-32306 is a vulnerability with a CVSS score of 9.9 (CRITICAL). OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimest...
How severe is CVE-2026-32306?
CVE-2026-32306 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-32306?
Check the references section above for vendor advisories and patch information. Affected products include: Hackerbay Oneuptime.