OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OneUptime prior to 10.0.23 contains a ClickHouse SQL injection in the telemetry aggregation API, allowing authenticated attackers to read/modify all telemetry data and potentially achieve remote code execution.
Vulnerability
OneUptime prior to version 10.0.23 suffers from a SQL injection vulnerability in its telemetry aggregation API. The API accepts user-controlled parameters aggregationType, aggregateColumnName, and aggregationTimestampColumnName and interpolates them directly into ClickHouse SQL queries using the .append() method, which is documented as accepting "trusted SQL" and performs raw string concatenation [1][2]. No allowlist, parameterized bindings, or input validation are applied.
Exploitation
An authenticated user can exploit this by sending a crafted POST request to the /{modelName}/aggregate route with a malicious aggregateBy object. The parameters are deserialized and passed without validation to the query builder, allowing arbitrary SQL injection into ClickHouse queries [2]. No special privileges beyond authentication are required.
Impact
Successful exploitation allows an attacker to read all telemetry data across tenants, modify database records, and potentially execute remote code via ClickHouse table functions (e.g., url() or file()) [1][2]. This compromises confidentiality, integrity, and availability of the monitoring platform.
Mitigation
The vulnerability is fixed in OneUptime version 10.0.23 [4]. Users should upgrade immediately. There are no known workarounds.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oneuptimenpm | < 10.0.23 | 10.0.23 |
Affected products
2- OneUptime/oneuptimev5Range: < 10.0.23
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-p5g2-jm85-8g35ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32306ghsaADVISORY
- github.com/OneUptime/oneuptime/releases/tag/10.0.23ghsaWEB
- github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.