3 matches found
CVE-2026-30920 OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the...
GHSA-656W-6F6C-M9R6 OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
Summary OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub A...
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
Summary OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub A...