Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
Published: 2026-03-10
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Affected OneUptime Synthetic Monitors allowed a user with low‑privileged authenticated project access to run arbitrary commands on the probe server. Untrusted monitor scripts were executed inside Node’s vm while live Playwright browser and page objects were exposed, letting a malicious user call browser APIs to launch attacker‑controlled executables. This is a CWE‑749 flaw and allows server‑side remote code execution on the probe host without needing a separate VM sandbox escape.

Affected Systems

All installations of OneUptime before version 10.0.21 are impacted, including the open‑source distribution identified by the CPE hackerbay:oneuptime. Users deploying OneUptime Synthetic Monitoring features should verify their running version and consider it vulnerable if it is earlier than 10.0.21.

Risk and Exploitability

The CVSS score of 10 signals maximum severity, but the exploit probability is low with an EPSS score below 1%. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation incidents have been reported yet. Attackers would need to be an authenticated, low‑privileged project user, which means an insider or compromised account could exploit this flaw. Due to the reliance on exposed Playwright objects, it could be used to compromise the probe host and potentially the wider network if lateral movement is possible.

Generated by OpenCVE AI on April 17, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OneUptime to version 10.0.21 or later to apply the vendor fix.
  • If an upgrade is not immediately possible, restrict the creation or execution of Synthetic Monitors to trusted privileged accounts and consider disabling the feature until a patch is available.
  • Review probe host access controls and monitor for unexpected process creations to detect potential exploitation.

Generated by OpenCVE AI on April 17, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jw8q-gjvg-8w4q OneUptime has Synthetic Monitor RCE via exposed Playwright browser object
History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
Title OneUptime Synthetic Monitor RCE via exposed Playwright browser object
Weaknesses CWE-749
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T18:22:16.657Z

Reserved: 2026-03-07T17:34:39.981Z

Link: CVE-2026-30957

cve-icon Vulnrichment

Updated: 2026-03-10T18:22:10.734Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:54.737

Modified: 2026-03-12T14:11:29.423

Link: CVE-2026-30957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses