SCA: security update for @oneuptime/common (GHSA-656w-6f6c-m9r6)

high Tenable Cloud Security Plugin ID 438499

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub
App callback trusts attacker-controlled state and installation_id values and updates
Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the
target project. This allows an attacker to overwrite another project's GitHub App installation binding.
Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to
enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is
fixed in 10.0.19. (CVE-2026-30920)

Solution

Update the @oneuptime/common library and its related packages to version 10.0.19 or later.

See Also

https://github.com/advisories/GHSA-656w-6f6c-m9r6

Plugin Details

Severity: High

ID: 438499

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 3/9/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.77

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:C/A:P

CVSS Score Source: CVE-2026-30920

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/9/2026

Vulnerability Publication Date: 3/9/2026

Reference Information

CVE: CVE-2026-30920