Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
Published: 2026-03-09
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability resides in OneUptime's synthetic monitoring feature, which permits low‑privileged project users to submit arbitrary Playwright scripts that are executed on the probe service. The code runs inside a Node.js vm context but is passed live host Playwright objects such as browser and page. Because the trusted vm does not sandbox these objects, an attacker can invoke browser.browserType().launch(...) from the injected script to spawn arbitrary processes on the probe host or container. This capability constitutes server‑side remote code execution. The weakness is represented by CWE‑749, indicating a trusted library used with untrusted data.

Affected Systems

The affected vendor is OneUptime (product OneUptime), and the risk applies to all installations of OneUptime prior to version 10.0.20. The synthetic monitors are enabled by default in these versions, and any user with low privileges who can add or edit a monitor may inject malicious code. The patch introduces a restriction that prevents untrusted scripts from accessing host‑level Playwright objects.

Risk and Exploitability

The CVSS score of 10 highlights maximum severity, though the EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalogue, indicating limited public exploitation evidence to date. Nevertheless, the attack path requires only a low‑privileged user to submit a monitor script, which is a reasonable threat in environments where such users are plentiful. Modern patch management processes should treat this as critical and prioritize upgrading to version 10.0.20. Failure to patch could allow an attacker to execute arbitrary code on the host, compromising confidentiality, integrity, and availability of the monitoring infrastructure.

Generated by OpenCVE AI on April 16, 2026 at 10:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OneUptime to version 10.0.20 or newer, which removes the exposed Playwright objects from the synthetic monitor execution context.
  • Disable or remove synthetic monitor creation for users that do not require it, or restrict the ability to edit existing monitors to higher‑privileged users only.
  • Monitor system logs for unexpected process launches on the probe host and review Playwright activity logs to detect any attempts to manipulate browser objects.

Generated by OpenCVE AI on April 16, 2026 at 10:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4j36-39gm-8vq8 OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
History

Thu, 12 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Mon, 09 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
Title OneUptime Synthetic Monitor RCE via exposed Playwright browser object
Weaknesses CWE-749
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:13:54.890Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30921

cve-icon Vulnrichment

Updated: 2026-03-10T14:12:13.746Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T17:40:16.160

Modified: 2026-03-12T13:44:49.127

Link: CVE-2026-30921

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses