OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OneUptime prior to 10.0.19 lacks authorization validation in its GitHub App callback, allowing an attacker to overwrite another project's GitHub installation and enumerate repositories.
Vulnerability
Overview
CVE-2026-30920 is an authorization bypass vulnerability in OneUptime versions prior to 10.0.19. The root cause is that the GitHub App OAuth callback trusts attacker-controlled state and installation_id parameters without verifying that the caller is authorized to modify the target project. This allows the attacker to overwrite any project's gitHubAppInstallationId, setting isRoot: true and effectively hijacking the GitHub App binding [1][2].
Attack
Vector and Exploitation
The attack is exploitable over the network without authentication: an attacker can craft a malicious OAuth callback URL incorporating arbitrary state and installation_id values. Additionally, related GitHub API endpoints lack effective authorization checks, so if the attacker possesses a valid GitHub App installation ID (e.g., obtained by installing their own malicious app), they can enumerate repositories and create CodeRepository records in any arbitrary project [1][4].
Impact
A successful attack allows the attacker to substitute another project's GitHub App installation binding with one they control. This enables listing of the victim project's repositories and creation of CodeRepository entries, potentially leading to unauthorized access to source code, secrets, and monitoring data tied to those repositories. The impact is high as it bypasses core multi-tenant isolation in a monitoring platform [1][3].
Mitigation
The vulnerability is fixed in OneUptime version 10.0.19. Users should upgrade immediately. No workarounds are documented; the patch introduces proper authorization validation in the GitHub callback handler and related endpoints [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@oneuptime/commonnpm | < 10.0.19 | 10.0.19 |
Affected products
2- OneUptime/oneuptimev5Range: < 10.0.19
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-656w-6f6c-m9r6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30920ghsaADVISORY
- github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/master/Common/Server/Middleware/UserAuthorization.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/master/Common/Server/Utils/CodeRepository/GitHub/GitHub.tsghsaWEB
- github.com/OneUptime/oneuptime/security/advisories/GHSA-656w-6f6c-m9r6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.