VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 26, 2025· Updated Nov 26, 2025

OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation

CVE-2025-66028

Description

OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OneUptime before 8.0.5567 allows privilege escalation by tampering the isMasterAdmin flag in the login response to access the admin dashboard.

Vulnerability

Overview

OneUptime, a comprehensive monitoring and observability platform, prior to version 8.0.5567 suffered from a privilege escalation vulnerability through login response manipulation. During the authentication process, the server's response to the client included a parameter named isMasterAdmin. By intercepting this response and modifying the value from false to true, an attacker could gain unauthorized access to the admin dashboard interface [1][4].

Attack

Vector and Prerequisites

The vulnerability is exploitable by intercepting the network traffic between the client and the server during the login step. The attacker must be able to perform a man-in-the-middle attack or otherwise modify the server's response before it reaches the client application. No additional authentication beyond a valid user session is required, but the attacker must first have a valid login session to intercept [1][4]. The official advisory notes that while the admin dashboard becomes accessible, the attacker may still lack sufficient permissions to view or interact with underlying data [1].

Impact

An attacker who successfully manipulates the isMasterAdmin parameter can access the admin dashboard interface, potentially viewing administrative panels and functions. However, according to the description and advisory, accessing the dashboard does not necessarily grant full data access; further permission checks may still restrict viewing or interacting with sensitive data [1][4].

Mitigation

The vulnerability has been patched in OneUptime version 8.0.5567. The patch, visible in commit 3e72b2a, adds server-side authorization checks to ensure that only users with a valid JSON Web Token containing the isMasterAdmin flag set to true can access the admin application routes [3]. Users are strongly advised to upgrade to the latest version to remediate this issue [1].

References
  1. NVD - CVE-2025-66028
  2. fix(admin): restrict AdminDashboard to master admins and guard index … · OneUptime/oneuptime@3e72b2a
  3. Privilege Escalation via Login Response Manipulation

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@oneuptime/commonnpm
< 8.0.55678.0.5567

Affected products

2

Patches

1
3e72b2a9a4f5

fix(admin): restrict AdminDashboard to master admins and guard index render

https://github.com/OneUptime/oneuptimeSimon LarsenNov 4, 2025via ghsa
commit
2 files changed · +58 1
  • AdminDashboard/Serve.ts+51 1 modified
    @@ -1,13 +1,62 @@
 import { PromiseVoidFunction } from "Common/Types/FunctionTypes";
-import Express, { ExpressApplication } from "Common/Server/Utils/Express";
+import Express, {
+  ExpressApplication,
+  ExpressRequest,
+  ExpressResponse,
+} from "Common/Server/Utils/Express";
 import logger from "Common/Server/Utils/Logger";
 import App from "Common/Server/Utils/StartServer";
+import Response from "Common/Server/Utils/Response";
+import UserMiddleware from "Common/Server/Middleware/UserAuthorization";
+import JSONWebToken from "Common/Server/Utils/JsonWebToken";
+import NotAuthorizedException from "Common/Types/Exception/NotAuthorizedException";
+import { JSONObject } from "Common/Types/JSON";
 import "ejs";
 
 export const APP_NAME: string = "admin";
 
 const app: ExpressApplication = Express.getExpressApp();
 
+const ensureMasterAdminAccess = async (
+  req: ExpressRequest,
+  res: ExpressResponse,
+): Promise<JSONObject> => {
+  try {
+    const accessToken: string | undefined =
+      UserMiddleware.getAccessTokenFromExpressRequest(req);
+
+    if (!accessToken) {
+      Response.sendErrorResponse(
+        req,
+        res,
+        new NotAuthorizedException("Only master admins can access this app."),
+      );
+      return {};
+    }
+
+    const authData = JSONWebToken.decode(accessToken);
+
+    if (!authData.isMasterAdmin) {
+      Response.sendErrorResponse(
+        req,
+        res,
+        new NotAuthorizedException("Only master admins can access this app."),
+      );
+      return {};
+    }
+
+    return {};
+  } catch (error) {
+    logger.error(error);
+    Response.sendErrorResponse(
+      req,
+      res,
+      new NotAuthorizedException("Only master admins can access this app."),
+    );
+    return {};
+  }
+};
+
 const init: PromiseVoidFunction = async (): Promise<void> => {
   try {
     // init the app
@@ -19,6 +68,7 @@ const init: PromiseVoidFunction = async (): Promise<void> => {
         liveCheck: async () => {},
         readyCheck: async () => {},
       },
+      getVariablesToRenderIndexPage: ensureMasterAdminAccess,
     });
 
     // add default routes
  • Common/Server/Utils/StartServer.ts+7 0 modified
    @@ -249,6 +249,13 @@ const init: InitFunction = async (
           logger.debug("Rendering index page with variables: ");
           logger.debug(variables);
 
+          if (res.headersSent) {
+            logger.debug(
+              "Response already sent while preparing index page. Skipping render.",
+            );
+            return;
+          }
+
           return res.render("/usr/src/app/views/index.ejs", {
             enableGoogleTagManager: IsBillingEnabled || false,
             ...variables,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.