CVE-2026-35053 - Vulnerability Details

Description

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.

Published: 2026-04-02

Score: 9.2 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in OneUptime's Worker service exposes workflow execution endpoints without authentication. By guessing or obtaining a workflow identifier, an attacker can trigger workflow runs with arbitrary input data, which can include JavaScript code. This allows execution of arbitrary code on the server, manipulation of monitored data, and abuse of notification mechanisms, effectively granting the attacker full control over the affected system.

Affected Systems

Affected systems are installations of the OneUptime monitoring platform using a Worker service version earlier than 10.0.42. The issue specifically impacts the ManualAPI endpoints GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId available to any unauthenticated client.

Risk and Exploitability

The CVSS score of 9.2 indicates critical severity, and although EPSS data is unavailable, the lack of authentication and the broad impact make exploitation highly likely for exposed instances. The vulnerability is not listed in CISA’s KEV catalog, but the capability for remote code execution combined with easy interaction via HTTP requests elevates the risk significantly. The attack vector is assumed to be network-based HTTP traffic to the exposed endpoints, requiring only knowledge of a valid workflow ID.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OneUptime

oneuptime

affected

Version	Status	Constraints
`< 10.0.42`	affected	—

No data.

Vendor Product Confidence Versions

Oneuptime

100%

Version	Status	Scheme	Platform
`[0,10.0.42)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OneUptime to version 10.0.42 or later.
Verify that ManualAPI endpoints no longer allow unauthenticated requests.
If upgrade cannot be performed immediately, block external traffic to the Worker service’s ManualAPI endpoints using firewall rules or network ACLs.
Monitor application logs for unauthorized workflow execution attempts and investigate any suspicious activity.

Generated by OpenCVE AI on April 2, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/OneUptime/oneuptime/releases/tag/10.0.42
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6c3w-7xg4-4cf7

History

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oneuptime Oneuptime oneuptime
Vendors & Products		Oneuptime Oneuptime oneuptime

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.
Title		OneUptime: Unauthenticated Workflow Execution via ManualAPI
Weaknesses		CWE-306
References		https://github.com/OneUptime/oneuptime/releases/tag/10.0.42 https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6c3w-7xg4-4cf7
Metrics		cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Oneuptime Oneuptime

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-02T18:55:49.130Z

Updated: 2026-04-02T18:55:49.130Z

Reserved: 2026-03-31T21:06:06.429Z

Link: CVE-2026-35053

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-02T20:16:29.117

Modified: 2026-04-02T20:16:29.117

Link: CVE-2026-35053

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T09:16:32Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object