CVE-2026-32306
published 2026-03-13CVE-2026-32306: OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType…
PriorityP271critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.60%
44.4th percentile
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hackerbay | oneuptime | < 10.0.34 | 10.0.34 |
| hackerbay | oneuptime | < 10.0.23 | 10.0.23 |
| oneuptime | oneuptime | < 10.0.34 | 10.0.34 |
| oneuptime | oneuptime | >= 0 < 10.0.23 | 10.0.23 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
osv·2026-03-13
CVE-2026-32306 [CRITICAL] OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
### Summary
The telemetry aggregation API accepts user-controlled `aggregationType`, `aggregateColumnName`, and `aggregationTimestampColumnName` parameters and interpolates them directly into ClickHouse SQL queries via the `.append()` method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions.
### Details
**Entry Point — `Common/Server/API/BaseAnalyticsAPI.ts:88-98, 292-296`:**
The `POST /{modelName}/aggregate` route deserializes `aggregateBy`
GHSA
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
ghsa·2026-03-13
CVE-2026-32306 [CRITICAL] CWE-89 OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
### Summary
The telemetry aggregation API accepts user-controlled `aggregationType`, `aggregateColumnName`, and `aggregationTimestampColumnName` parameters and interpolates them directly into ClickHouse SQL queries via the `.append()` method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions.
### Details
**Entry Point — `Common/Server/API/BaseAnalyticsAPI.ts:88-98, 292-296`:**
The `POST /{modelName}/aggregate` route deserializes `aggregateBy`
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33142 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-33142 [CRITICAL] CVE-2026-33142 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33142 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns. ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggreg
Wiz
CVE-2026-32306 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-32306 [CRITICAL] CVE-2026-32306 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32306 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
Source : NVD
## 9.9
Score
Published Mar
2026-03-13
Published