Home / Vulnerability Intelligence / CVE-2026-30956

CVE-2026-30956 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 11, 2026

OneUptime - Broken Access Control

Published: March 10, 2026Updated: March 11, 2026Remote Exploitable

Overview

OneUptime <= 10.0.20 contains a broken access control vulnerability caused by trusting client-supplied is-multi-tenant-query header, letting low-privileged users bypass authorization and tenant isolation to access other tenants' data and take over accounts, exploit requires sending forged headers.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 3.9%(Probability of exploitation in next 30 days)

Impact

Attackers can access other tenants' data, read sensitive user information, and fully take over accounts, leading to data exposure and account compromise.

Mitigation

Upgrade to version 10.0.21 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 10, 2026

🔴 CVE-2026-30956 - Critical (9.9) OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header togethe... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30956/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-30956
Severity: Critical
CVSS Score: 9.9
Type: broken_access_control
Status: unconfirmed
EPSS: 3.9%
Social Posts: 1

CWE

CWE-285

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

3.9%Probability of exploitation in the next 30 days