CVE-2026-30920
📋 TL;DR
This vulnerability in OneUptime allows attackers to hijack GitHub App installations and manipulate project repositories without proper authorization. Attackers can overwrite another project's GitHub App binding and create unauthorized CodeRepository records. All OneUptime instances running versions before 10.0.19 are affected.
💻 Affected Systems
- OneUptime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete takeover of GitHub App integrations across all projects, unauthorized repository enumeration, and injection of malicious code repositories into production systems.
Likely Case
Unauthorized modification of GitHub App bindings leading to service disruption, repository enumeration exposing sensitive information, and unauthorized code repository creation.
If Mitigated
Limited impact due to network segmentation and strict access controls, but still potential for unauthorized configuration changes.
🎯 Exploit Status
Exploitation requires GitHub App access but authorization bypass makes it straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.19
Vendor Advisory: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-656w-6f6c-m9r6
Restart Required: Yes
Instructions:
1. Backup your OneUptime instance. 2. Update to version 10.0.19 or later. 3. Restart the OneUptime service. 4. Verify GitHub App integrations are functioning correctly.
🔧 Temporary Workarounds
Disable GitHub App Integration
allTemporarily disable GitHub App functionality until patching is complete.
# Edit OneUptime configuration to disable GitHub App features
# Restart service after configuration change
Network Isolation
linuxRestrict network access to OneUptime GitHub callback endpoints.
# Configure firewall rules to restrict access to /github/callback endpoints
# Example: iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IPS] -j ACCEPT
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OneUptime from production systems
- Enable detailed logging and monitoring for all GitHub App integration activities
🔍 How to Verify
Check if Vulnerable:
Check OneUptime version via admin interface or by examining package version. If version is below 10.0.19, system is vulnerable.Check Version:
docker inspect oneuptime | grep version OR cat /usr/local/oneuptime/package.json | grep versionVerify Fix Applied:
Confirm version is 10.0.19 or higher and test GitHub App integration functionality.📡 Detection & Monitoring
Log Indicators:
- Unauthorized GitHub App installation ID modifications
- Unexpected CodeRepository creation events
- Failed authorization attempts on GitHub callback endpoints
Network Indicators:
- Unusual traffic patterns to /github/callback endpoints
- Requests with manipulated state or installation_id parameters
SIEM Query:
source="oneuptime" AND (event="github_app_callback" OR event="code_repository_create") AND user NOT IN [authorized_users]