SCA: security update for @oneuptime/common (GHSA-r5v6-2599-9g3m)

critical Tenable Cloud Security Plugin ID 438558

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged
user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged
is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this
client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is
disabled. This allows attackers to access project data belonging to other tenants, read sensitive User
fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully
take over the account. This results in cross‑tenant data exposure and full account takeover. This
vulnerability is fixed in 10.0.21. (CVE-2026-30956)

Solution

Update the @oneuptime/common library and its related packages to version 10.0.21 or later.

See Also

https://github.com/advisories/GHSA-r5v6-2599-9g3m

Plugin Details

Severity: Critical

ID: 438558

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 3/10/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-30956

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/10/2026

Vulnerability Publication Date: 3/10/2026

Reference Information

CVE: CVE-2026-30956