Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.
Published: 2026-03-09
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution and Full Cluster Compromise
Action: Apply Patch
AI Analysis

Impact

OneUptime versions before 10.0.18 allow the execution of untrusted JavaScript code submitted by project members through Synthetic Monitors. The code is run inside the Node.js vm module without proper sandboxing, enabling a standard prototype‑chain escape to gain access to the Node.js process. This flaw is a classic instance of unsandboxed code execution (CWE‑94). An attacker who can create or modify a synthetic monitor can therefore run arbitrary system commands on the oneuptime‑probe container and, because the probe stores database credentials in its environment, can achieve a complete compromise of the entire cluster.

Affected Systems

The affected product is OneUptime, specifically all installations of the OneUptime application released prior to version 10.0.18. These versions run the probe module that hosts the vulnerable String.prototype constructor escape logic. No other vendors or products are known to be affected.

Risk and Exploitability

The CVSS score of 10 reflects a high severity vulnerability with full local and remote privileges once the code is executed. The EPSS score of less than 1% indicates that the exploitation probability is very low at present, yet the possibility of the flaw remaining undiscovered and the impact of a successful exploit—complete cluster compromise—manifests a high overall risk. This vulnerability is not listed in the CISA KEV catalog. Attackers would most likely exploit it by creating or editing a synthetic monitor as a project member with code execution permissions; no additional external interaction is required once the user’s code is submitted.

Generated by OpenCVE AI on April 17, 2026 at 11:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OneUptime to version 10.0.18 or later, which contains the fix for the unsandboxed code execution flaw.
  • Restrict the ability to create or modify synthetic monitors to only highly trusted users and audit existing monitors for malicious code.
  • If an update cannot be performed immediately, temporarily disable the synthetic monitor execution feature or enforce a strict content filter to prevent the execution of arbitrary JavaScript.

Generated by OpenCVE AI on April 17, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h343-gg57-2q67 OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
History

Thu, 12 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.
Title OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:00:44.197Z

Reserved: 2026-03-06T00:04:56.700Z

Link: CVE-2026-30887

cve-icon Vulnrichment

Updated: 2026-03-10T14:00:32.517Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T17:40:14.887

Modified: 2026-03-12T13:41:22.380

Link: CVE-2026-30887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:00:11Z

Weaknesses