CVE-2026-32306: OneUptime ClickHouse SQL Injection via Aggregate Query Parameters

March 13, 2026 (updated March 16, 2026)

The telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as “trusted SQL”). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions.

References

github.com/OneUptime/oneuptime
github.com/OneUptime/oneuptime/releases/tag/10.0.23
github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35
github.com/advisories/GHSA-p5g2-jm85-8g35
nvd.nist.gov/vuln/detail/CVE-2026-32306

Code Behaviors & Features

Detect and mitigate CVE-2026-32306 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →