OneUptime is vulnerable to a multi-tenancy escape that allows low-privileged users to access other tenants' data and fully take over any user account via forged headers.

This vulnerability stems from the server trusting client-supplied headers like is-multi-tenant-query and projectid. An authenticated low-privileged user can forge these headers to skip internal permission checks, disable tenant scoping, and access sensitive data belonging to other organizations, including plaintext password reset tokens, enabling full account takeover.

With a CVSS score of 9.9, this vulnerability represents a total breakdown of the platform's security model. Attackers can leak sensitive user fields, reset victim passwords, and compromise the data of every tenant on the platform. This leads to massive data exposure and a complete loss of customer trust.

Immediate Action: Update OneUptime to version 10.0.21 or later to ensure the server correctly validates and enforces tenant isolation independently of client-supplied headers.

Proactive Monitoring: Audit access logs for the presence of the is-multi-tenant-query header and investigate any cross-project data access patterns.

Compensating Controls: Implement a reverse proxy or API gateway that strips or validates sensitive internal headers before they reach the application server.

Public Exploit Available: No

This is a catastrophic flaw for any SaaS or multi-tenant installation of OneUptime. Immediate remediation via upgrading to version 10.0.21 is mandatory. Organizations must also consider a full audit of their data to ensure no unauthorized access occurred prior to patching.