OneUptime has WhatsApp Resend Verification Authorization Bypass
Description
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authorization bypass in OneUptime's WhatsApp resend-verification-code endpoint lets authenticated users resend verification codes for any UserWhatsApp record without verifying ownership.
Vulnerability
CVE-2026-30959 is an authorization bypass vulnerability in OneUptime, an open-source monitoring and observability platform [2]. The resend-verification-code endpoint in UserWhatsAppAPI.ts does not validate that the authenticated user owns the UserWhatsApp record being targeted [1][3]. Unlike the verify endpoint which includes an ownership check, the resend endpoint only requires a valid authenticated session and the victim's UserWhatsApp record ID [3]. This flaw is present in both the API endpoint and the underlying service (UserWhatsAppService.ts) [1].
Exploitation
An authenticated attacker with a valid access token can trigger a verification code resend for any UserWhatsApp record that belongs to the same project [3]. The attack requires knowing the target record's itemId, which could be obtained through other means or by enumeration [1]. The attacker sends a POST request to /api/user-whats-app/resend-verification-code with the victim's itemId in the request body [3]. The server responds with HTTP 200 and a new verification code is sent to the victim's WhatsApp number without any confirmation from the legitimate user [3].
Impact
The ability to resend verification codes for arbitrary users undermines the security of the WhatsApp-based authentication or notification channels in OneUptime [1][3]. An attacker could repeatedly trigger resend requests, potentially causing account takeover, identity confusion, or denial of service by flooding the victim with verification messages [3]. Since the flaw is in a core authentication mechanism, the impact may extend to system-wide security, including unauthorized access to monitoring data, status pages, incident management, and other sensitive features [2].
Mitigation
The vendor has addressed this vulnerability in release 10.0.21 of OneUptime [4]. Users should update to this version or later to apply the fix [4]. No workarounds are documented, but administrators can temporarily restrict access to the affected endpoint until the update can be applied [1][3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@oneuptime/commonnpm | < 10.0.21 | 10.0.21 |
Affected products
2- OneUptime/oneuptimev5Range: < 10.0.21
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cw6x-mw64-q6pvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30959ghsaADVISORY
- github.com/OneUptime/oneuptime/releases/tag/10.0.21ghsax_refsource_MISCWEB
- github.com/OneUptime/oneuptime/security/advisories/GHSA-cw6x-mw64-q6pvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.