Publish GHSA-656w-6f6c-m9r6

advisory-database[bot] · advisory-database[bot] · commit 9073bd847307 · 2026-03-09T17:32:21.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-656w-6f6c-m9r6/GHSA-656w-6f6c-m9r6.json b/advisories/github-reviewed/2026/03/GHSA-656w-6f6c-m9r6/GHSA-656w-6f6c-m9r6.json
@@ -0,0 +1,87 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-656w-6f6c-m9r6",
+  "modified": "2026-03-09T17:29:47Z",
+  "published": "2026-03-09T17:29:47Z",
+  "aliases": [
+    "CVE-2026-30920"
+  ],
+  "summary": "OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding",
+  "details": "### Summary\n\nOneUptime's GitHub App callback trusts attacker-controlled `state` and `installation_id` values and updates `Project.gitHubAppInstallationId` with `isRoot: true` without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding.\n\nRelated GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create `CodeRepository` records in an arbitrary project.\n\n### Details\n\nThe callback decodes unsigned base64 JSON from `state` and uses the embedded `projectId` directly:\n\n- https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L34-L112\n\nIt then writes the supplied `installation_id` into the target project with root privileges:\n\n```ts\nawait ProjectService.updateOneById({\n  id: new ObjectID(projectId),\n  data: { gitHubAppInstallationId: installationId },\n  props: { isRoot: true },\n});\n```\n\nThe `userId` in `state` is only checked for presence, not authenticity:\n\n- https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L73-L79\n\nThe install flow also generates `state` as plain base64 JSON, not a signed or session-bound token:\n\n- https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L127-L165\n\nThe follow-on endpoints are also vulnerable:\n\n- Repository listing: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L179-L258\n- Repository connect: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L260-L356\n- Middleware allows requests with no token to continue as `Public`: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Middleware/UserAuthorization.ts#L205-L211\n- Installation tokens are minted from any valid installation ID: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Utils/CodeRepository/GitHub/GitHub.ts#L347-L425\n\n### PoC\n\nMinimal proof of unauthorized project tampering:\n\n```bash\nSTATE=$(printf '%s' '{\"projectId\":\"<victim-project-uuid>\",\"userId\":\"x\"}' | base64 | tr -d '\\n')\ncurl -isk \"https://<host>/api/github/auth/callback?installation_id=999999999&state=${STATE}\"\n```\n\nExpected result:\n\n- Server returns a `302` redirect to `/dashboard/<victim-project-uuid>/code-repository?installation_id=999999999`\n- The target project's `gitHubAppInstallationId` is overwritten\n\n### Impact\n\n- Unauthorized modification of `Project.gitHubAppInstallationId`\n- Temporary GitHub integration breakage if a bogus installation ID is set\n- Cross-project binding of attacker-controlled GitHub App installations\n- Repository metadata disclosure for a supplied valid installation ID\n- Unauthorized creation of `CodeRepository` records in arbitrary projects",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@oneuptime/common"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "10.0.19"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-656w-6f6c-m9r6"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OneUptime/oneuptime"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L127-L165"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L179-L258"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L260-L356"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L34-L112"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L73-L79"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Middleware/UserAuthorization.ts#L205-L211"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Utils/CodeRepository/GitHub/GitHub.ts#L347-L425"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-345",
+      "CWE-639",
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-09T17:29:47Z",
+    "nvd_published_at": null
+  }
+}
