Description
Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('"/etc/passwd"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1.
Published: 2026-03-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read via SSTI in Notification Templates
Action: Update to 2.2.1
AI Analysis

Impact

The vulnerability allows an attacker to exploit server‑side template injection (SSTI) within the notification template engine of Uptime Kuma. By supplying an unquoted absolute file path such as "/etc/passwd" to the template, the Liquid engine will resolve the path and return the file contents. This enables an attacker to read any file on the host where the vulnerable instance is running, exposing sensitive configuration, credentials, or system data. The weakness is present in the template resolution logic, specifically an unguarded fallback that bypasses containment checks.

Affected Systems

Affected versions are Uptime Kuma 1.23.0 through 2.2.0, released by louislam. The issue existed in the core code that processes notification templates and persisted across multiple releases until the fix in 2.2.1.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Attack requires the ability to inject into a notification template, so compromising the template configuration or templates stored locally. Although it does not provide remote code execution, the disclosure of arbitrary files can assist attackers in planning further attacks or surface credentials.

Generated by OpenCVE AI on March 24, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Uptime Kuma to version 2.2.1 or newer. Because the vulnerability was resolved in this release, the most reliable protection is the official patch.

Generated by OpenCVE AI on March 24, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Uptime.kuma
Uptime.kuma uptime Kuma
CPEs cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*
Vendors & Products Uptime.kuma
Uptime.kuma uptime Kuma

Fri, 20 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Louislam
Louislam uptime-kuma
Vendors & Products Louislam
Louislam uptime-kuma

Fri, 20 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Description Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('"/etc/passwd"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1.
Title Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix for GHSA-vffh-c9pq-4crh)
Weaknesses CWE-1336
CWE-98
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Louislam Uptime-kuma
Uptime.kuma Uptime Kuma
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T21:18:35.209Z

Reserved: 2026-03-17T20:35:49.927Z

Link: CVE-2026-33130

cve-icon Vulnrichment

Updated: 2026-03-20T21:18:30.617Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T10:16:19.463

Modified: 2026-03-24T15:24:16.437

Link: CVE-2026-33130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:38Z

Weaknesses