GHSA-cw6x-mw64-q6pv

Source

https://github.com/advisories/GHSA-cw6x-mw64-q6pv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-cw6x-mw64-q6pv/GHSA-cw6x-mw64-q6pv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cw6x-mw64-q6pv

Aliases

CVE-2026-30959

Published

2026-03-10T01:15:30Z

Modified

2026-03-10T19:01:32.247422Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L CVSS Calculator

Summary

OneUptime has WhatsApp Resend Verification Authorization Bypass

Details

Description

The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint).

Affected Source

Endpoint: UserWhatsAppAPI.ts
Service: UserWhatsAppService.ts
Verify ownership (present in verify endpoint for comparison): UserWhatsAppAPI.ts

Full Code Lines (UserWhatsAppAPI.ts)

Resend path (authorization gap):

    this.router.post(
      `${new this.entityType()
        .getCrudApiPath()
        ?.toString()}/resend-verification-code`,
      UserMiddleware.getUserMiddleware,
      async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
        try {
          req = req as OneUptimeRequest;

          if (!req.body.itemId) {
            return Response.sendErrorResponse(
              req,
              res,
              new BadDataException("Invalid item ID"),
            );
          }

          await this.service.resendVerificationCode(req.body.itemId);

          return Response.sendEmptySuccessResponse(req, res);
        } catch (err) {
          return next(err);
        }
      },
    );

Verify path (ownership check present):

          if (
            item.userId?.toString() !==
            (req as OneUptimeRequest)?.userAuthorization?.userId?.toString()
          ) {
            return Response.sendErrorResponse(
              req,
              res,
              new BadDataException("Invalid user ID"),
            );
          }

Prerequisites

Valid attacker account with access to a project
Attacker access token
A victim’s UserWhatsApp itemId belonging to the same project

Steps to Reproduce

Set your attacker token:

export ATK="Bearer <attacker-access-token>"

Trigger resend for the victim’s item:

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: $ATK" \
  -d '{"itemId":"<victim-userwhatsapp-id>"}' \
  http://<host>/api/user-whats-app/resend-verification-code

Expected/Observed Behavior

HTTP 200 with {} body and a new verification code sent to the victim’s phone
No checks confirm that item.userId equals the authenticated user’s ID for the resend path

Impact

Spam/DoS against victims’ phone numbers, social engineering pressure, and potential lockout flows due to repeated resends

Recommended Fix

Enforce ownership: item.userId must match the authenticated user
Add per-item and per-user rate limiting for resends

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T01:15:30Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-307",
        "CWE-639",
        "CWE-862"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-03-10T18:18:55Z"
}

References

Affected packages

npm / @oneuptime/common

Package

Name: @oneuptime/common; View open source insights on deps.dev
Purl: pkg:npm/%40oneuptime/common

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.0.21

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-cw6x-mw64-q6pv/GHSA-cw6x-mw64-q6pv.json"