Login Sign Up

CVE-2024-29194

8.3 HIGH
Authentication Bypass

📋 TL;DR

This CVE describes an authorization bypass vulnerability in OneUptime where attackers can manipulate client-side stored data to gain administrative privileges. By changing the is_master_admin key from false to true in browser local storage, users can escalate to admin without proper server-side validation. All OneUptime users running vulnerable versions are affected.

💻 Affected Systems

Products:
  • OneUptime
Versions: All versions before 7.0.1815
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects web interface of OneUptime monitoring solution regardless of deployment method.

📦 What is this software?

Oneuptime by Hackerbay

View all CVEs affecting Oneuptime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the OneUptime monitoring system, allowing attackers to modify monitoring configurations, access sensitive data, and potentially pivot to monitored systems.

🟠

Likely Case

Unauthorized administrative access leading to service disruption, data exposure, and privilege escalation within the monitoring platform.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass still possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but then simple browser developer tools manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.1815

Vendor Advisory: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-246p-xmg8-wmcq

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update to version 7.0.1815 or later. 3. Restart OneUptime services. 4. Verify fix by checking version and testing authentication.

🔧 Temporary Workarounds

Implement server-side validation

all

Add server-side checks for admin privileges instead of relying on client-side storage

Restrict access to web interface

all

Limit network access to OneUptime web interface using firewall rules

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate OneUptime from critical systems
  • Enable detailed logging and monitoring for unusual admin privilege changes

🔍 How to Verify

Check if Vulnerable:

Check if is_master_admin key in browser local storage can be modified to true and grants admin access without server validation

Check Version:

Check OneUptime dashboard or run appropriate version command for your deployment method

Verify Fix Applied:

After patching, attempt to modify is_master_admin key and verify admin access is not granted

📡 Detection & Monitoring

Log Indicators:

  • Unexpected admin privilege escalations
  • Multiple failed login attempts followed by successful admin access
  • User sessions with unusual privilege changes

Network Indicators:

  • Unusual API calls to admin endpoints from non-admin users
  • Traffic patterns suggesting privilege escalation attempts

SIEM Query:

source="oneuptime" AND (event_type="privilege_escalation" OR user_role_changed="true")

📊 Metadata

CVE ID: CVE-2024-29194
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-639
Published: March 24, 2024
Last Updated: December 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29194, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)