CRITICAL🇵🇱 Wersja polska

CVE-2026-30921

CVSS 9.9v3.1pub. 2026-03-10upd. 2026-03-12

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.

🤖 AI Analysis
How it works

The Synthetic Monitors feature allows project users to submit their own Playwright code, which is then executed by the oneuptime-probe service. This code is executed within the vm mechanism of the Node.js module, however, actual host objects are passed to its environment — including the browser and page objects. An attacker can directly exploit the injected browser object by calling the browser.browserType().launch() method with arbitrary arguments, resulting in execution of an attacker-chosen executable file on the host or in the container. Classical sandbox escape techniques (e.g., this.constructor.constructor) are not required because access to host objects is granted directly.

Impact

An attacker with low privileges in the project can execute arbitrary code on the host or container where the oneuptime-probe service is running, which can lead to complete system takeover, data theft, and compromise of service integrity and availability.

Mitigation & patch

OneUptime should be updated to version 10.0.20 or later, in which the vulnerability has been fixed. Details available in the vendor references: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8

Who is affected

OneUptime (Hackerbay) in all versions before 10.0.20 using Synthetic Monitors functionality

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Hackerbay Oneuptime

    APP
    Hackerbay
    < 10.0.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2026-35053CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w endpointach workflow w OneUptime (RCE)

CVE-2026-34759CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w API powiadomień OneUptime — obejście autoryzacji

CVE-2026-34758CRITICAL9.1PL ✓ten sam produkt

OneUptime: nieautoryzowany dostęp do endpointów powiadomień i zarządzania numerami

CVE-2026-33396CRITICAL9.9PL ✓ten sam produkt

RCE w OneUptime — command injection przez Playwright w Synthetic Monitor

CVE-2026-32306CRITICAL9.9PL ✓ten sam produkt

SQL Injection w OneUptime — nieautoryzowany dostęp do bazy i potencjalny RCE