CVE-2026-30920 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: March 11, 2026
OneUptime - Broken Access Control
Overview
OneUptime < 10.0.19 contains a broken access control vulnerability caused by trusting attacker-controlled state and installation_id values in GitHub App callback, letting attackers overwrite project bindings and enumerate repositories, exploit requires valid installation ID.
Severity & Score
Impact
Attackers can overwrite project GitHub App bindings and enumerate repositories, leading to unauthorized data access and project manipulation.
Mitigation
Update to version 10.0.19 or later.
Social Media Activity(2 posts)
š CVE-2026-30920 - High (8.6) OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true withou... š https://www.thehackerwire.com/vulnerability/CVE-2026-30920/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš CVE-2026-30920 - High (8.6) OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true withou... š https://www.thehackerwire.com/vulnerability/CVE-2026-30920/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-30920
- Severity
- High
- CVSS Score
- 8.6
- Type
- broken_access_control
- Status
- unconfirmed
- EPSS
- 0.6%
- Social Posts
- 2
CWE
- CWE-345
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L