OneUptime Unauthorized User Creation via API
Description
OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In OneUptime 9.0.5598, a low-privilege user can create new accounts via a direct API request due to misconfigured access control, enabling unauthorized account creation.
Vulnerability
Overview
In OneUptime version 9.0.5598, the User table's access control misconfiguration allows any authenticated user, even those with low privileges, to create new accounts by sending a direct API request to the user creation endpoint. The root cause is the assignment of Permission.Public to the create action in the @TableAccessControl decorator, as shown in the fix commit [3]. This bypasses the intended access restrictions that should limit account creation to specific UI paths or administrative roles [1][4].
Exploitation
Details
An attacker with a low-permission account (e.g., a newly created user) can craft a direct HTTP request to the API endpoint responsible for user creation, without needing to interact with the intended UI or follow the required workflow. No additional authentication or authorization checks are enforced because the create permission is set to Public, meaning any authenticated user is implicitly granted the ability to create new accounts [3][4].
Impact
Successful exploitation allows an attacker to create unauthorized accounts within the OneUptime instance. This compromises the integrity of the user base, enabling an attacker to escalate privileges, gain persistent access, or perform further malicious actions within the monitored environment [1][4].
Mitigation
The vulnerability has been patched in OneUptime version 9.1.0 by removing the Permission.Public entry from the create array in the User model's access control, effectively restricting account creation to authorized contexts [3]. Users should upgrade to version 9.1.0 or later to remediate this issue [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@oneuptime/commonnpm | < 9.1.0 | 9.1.0 |
Affected products
2- OneUptime/oneuptimev5Range: = 9.0.5598
Patches
107bc6d4edde7fix: remove public create permission from User table access control
1 file changed · +1 −1
Common/Models/DatabaseModels/User.ts+1 −1 modified@@ -30,7 +30,7 @@ import { Column, Entity, Index, JoinColumn, ManyToOne } from "typeorm"; }) @AllowAccessIfSubscriptionIsUnpaid() @TableAccessControl({ - create: [Permission.Public], + create: [], read: [Permission.CurrentUser], delete: [Permission.CurrentUser], update: [Permission.CurrentUser],
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-m449-vh5f-574gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65966ghsaADVISORY
- github.com/OneUptime/oneuptime/commit/07bc6d4edde7397ea6b88f889c065ec392052ab4ghsaWEB
- github.com/OneUptime/oneuptime/security/advisories/GHSA-m449-vh5f-574gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.