OneUptime versions prior to 10.0.42 are vulnerable to unauthenticated access, allowing attackers to hijack communication channels and incur unauthorized financial costs.

The software fails to enforce authentication on Notification test and Phone Number management endpoints. This allows an unauthenticated remote attacker to abuse SMS, Call, Email, and WhatsApp services, as well as purchase phone numbers through the platform's integrated services.

Exploitation of this flaw can result in significant financial loss due to unauthorized service consumption and phone number purchases. Additionally, attackers can leverage the platform to send fraudulent communications, leading to reputational damage and potential use of the system in phishing or spam campaigns. The CVSS score of 9.1 underscores the critical nature of this unauthorized access.

Immediate Action: Upgrade OneUptime to version 10.0.42 or later to apply the necessary authentication checks on vulnerable endpoints.

Proactive Monitoring: Monitor communication logs for spikes in SMS or call volume and review billing statements for unauthorized charges related to phone number management.

Compensating Controls: Restrict network access to the OneUptime management interface and implement rate-limiting on notification endpoints to mitigate the impact of automated abuse.

Public Exploit Available: No

Organizations using OneUptime must upgrade to version 10.0.42 immediately to close these exposed endpoints. Because this flaw directly impacts financial resources and communication integrity, rapid remediation is essential to prevent both monetary loss and brand damage.