CVE-2026-30958 - Vulnerability Details

- OneUptime: Path Traversal — Arbitrary File Read (No Auth)

Description

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.

Published: 2026-03-10

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is a path traversal flaw in the /workflow/docs/:componentName endpoint of OneUptime. An attacker can supply a specially crafted componentName value that, after concatenation into a file system path, bypasses the intended directory boundaries. The flaw allows reading any file accessible by the running process, including configuration files, secrets, and potentially sensitive data. Because no authentication checks are performed, any network user can exploit the flaw without credentials, leading to a high risk of data exposure.

Affected Systems

Affected are installations of OneUptime version prior to 10.0.21, with a componentName route that feeds directly into res.sendFile(). The vulnerability applies to all vendors or products named OneUptime:oneuptime, encompassing any deployment of the open‑source monitoring platform.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, and although the EPSS score is below 1 %, the absence of a KEV listing does not diminish the potential impact. The lack of authentication makes the attack vector trivial for an external actor with network access to the endpoint. The exploit requires only a HTTP request, no special privileges, and can be performed by modifying the path segments or using relative directory references. Once triggered, the attacker obtains arbitrary filesystem content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OneUptime

oneuptime

affected

Version	Status	Constraints
`< 10.0.21`	affected	—

Configuration 1 [-]

cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Oneuptime

100%

Version	Status	Scheme	Platform
`[0,10.0.21)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OneUptime to version 10.0.21 or later, which sanitizes the componentName input and removes the vulnerable endpoint logic.
Configure the reverse‑proxy or firewall to deny unauthenticated access to the /workflow/docs/ endpoint, ensuring that only authorized users can reach it.
Continuously monitor web server logs for path traversal patterns, such as repeated attempts to access hidden or system files, and investigate promptly.

Generated by OpenCVE AI on April 16, 2026 at 09:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00212.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/OneUptime/oneuptime/releases/tag/10.0.21
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p2wh-9pw8-hvff

History

Thu, 12 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hackerbay Hackerbay oneuptime
CPEs		cpe:2.3:a:hackerbay:oneuptime::::::::
Vendors & Products		Hackerbay Hackerbay oneuptime

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oneuptime Oneuptime oneuptime
Vendors & Products		Oneuptime Oneuptime oneuptime

Tue, 10 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.
Title		OneUptime: Path Traversal — Arbitrary File Read (No Auth)
Weaknesses		CWE-22
References		https://github.com/OneUptime/oneuptime/releases/tag/10.0.21 https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p2wh-9pw8-hvff
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Hackerbay Oneuptime

Oneuptime Oneuptime

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-10T17:01:43.524Z

Updated: 2026-03-10T17:31:08.598Z

Reserved: 2026-03-07T17:34:39.981Z

Link: CVE-2026-30958

Vulnrichment

Updated: 2026-03-10T17:30:53.138Z

NVD

Status : Analyzed

Published: 2026-03-10T18:18:54.883

Modified: 2026-03-12T14:09:46.807

Link: CVE-2026-30958

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object