Description
OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape via a well-known one-liner that grants full access to the underlying process. Because the probe runs with host networking and holds all cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) in its environment variables, and monitor creation is available to the lowest role (ProjectMember) with open registration enabled by default, any anonymous user can achieve full cluster compromise in about 30 seconds. This issue has been fixed in version 10.0.5.
Published: 2026-02-21
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the custom JavaScript monitor feature of OneUptime versions 9.5.13 and earlier. It uses Node.js's node:vm module, a known insecure sandbox, to execute user‑supplied code. A simple one‑line payload can escape this sandbox and gain full access to the underlying process, allowing an attacker to run arbitrary code on the host in about half a minute.

Affected Systems

Affected vendor is OneUptime. The issue applies to any deployment running version 9.5.13 or older. Version 10.0.5 and newer contain the fix.

Risk and Exploitability

The CVSS score is 10, indicating maximum severity, while the EPSS score of less than 1% points to a low but measurable exploitation probability. The vulnerability is not yet listed in the CISA KEV catalog. An attacker with a ProjectMember role—or any anonymous user if open registration is enabled—can create a custom JavaScript monitor, submit the escape payload, and execute arbitrary code on the cluster with credentials to all internal services, thereby achieving full cluster compromise.

Generated by OpenCVE AI on April 17, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OneUptime to version 10.0.5 or later
  • Disable open registration during the upgrade process
  • Restrict creation of custom JavaScript monitors to administrative users only
  • Rotate or remove sensitive environment variables (e.g. ONEUPTIME_SECRET, DATABASE_PASSWORD) until the fix is applied

Generated by OpenCVE AI on April 17, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v264-xqh4-9xmm OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE
History

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Sat, 21 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape via a well-known one-liner that grants full access to the underlying process. Because the probe runs with host networking and holds all cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) in its environment variables, and monitor creation is available to the lowest role (ProjectMember) with open registration enabled by default, any anonymous user can achieve full cluster compromise in about 30 seconds. This issue has been fixed in version 10.0.5.
Title OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:10:23.455Z

Reserved: 2026-02-20T17:40:28.449Z

Link: CVE-2026-27574

cve-icon Vulnrichment

Updated: 2026-02-24T18:09:58.250Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T11:15:57.443

Modified: 2026-02-23T20:36:09.117

Link: CVE-2026-27574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses