CVE-2026-32598: OneUptime: Password Reset Token Logged at INFO Level

March 13, 2026 (updated March 16, 2026)

The password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user.

References

github.com/OneUptime/oneuptime
github.com/OneUptime/oneuptime/releases/tag/10.0.23
github.com/OneUptime/oneuptime/security/advisories/GHSA-4524-cj9j-g4fj
github.com/advisories/GHSA-4524-cj9j-g4fj
nvd.nist.gov/vuln/detail/CVE-2026-32598

Code Behaviors & Features

Detect and mitigate CVE-2026-32598 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →