CRITICAL🇵🇱 Wersja polska

CVE-2026-30957

CVSS 9.9v3.1pub. 2026-03-10upd. 2026-03-12

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.

🤖 AI Analysis
How it works

The Synthetic Monitors mechanism executes untrusted user code within a Node.js sandbox environment (vm module), however browser objects and Playwright page instances running in the host context are directly exposed to this code. An attacker can invoke Playwright API methods on the injected browser object, causing the probe server to execute an executable file controlled by the attacker. The attack does not require separate vm sandbox escape — it only requires exploitation of available host objects.

Impact

An attacker can execute arbitrary system commands on the oneuptime-probe server or container, potentially leading to full compromise of the probe environment, data exfiltration, and further lateral movement within the infrastructure.

Mitigation & patch

OneUptime should be updated to version 10.0.21 or later, where the vulnerability has been fixed. The patch is available in the official GitHub repository: https://github.com/OneUptime/oneuptime/releases/tag/10.0.21

Who is affected

OneUptime (Hackerbay) in all versions before 10.0.21, particularly installations using the Synthetic Monitors functionality.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Hackerbay Oneuptime

    APP
    Hackerbay
    < 10.0.21
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEContainer
CWE
References

Related vulnerabilities

CVE-2026-35053CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w endpointach workflow w OneUptime (RCE)

CVE-2026-34759CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w API powiadomień OneUptime — obejście autoryzacji

CVE-2026-34758CRITICAL9.1PL ✓ten sam produkt

OneUptime: nieautoryzowany dostęp do endpointów powiadomień i zarządzania numerami

CVE-2026-33396CRITICAL9.9PL ✓ten sam produkt

RCE w OneUptime — command injection przez Playwright w Synthetic Monitor

CVE-2026-32306CRITICAL9.9PL ✓ten sam produkt

SQL Injection w OneUptime — nieautoryzowany dostęp do bazy i potencjalny RCE