Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.
Published: 2026-04-02
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Worker service in OneUptime exposes workflow execution endpoints that require no authentication. An attacker who discovers or guesses a workflow ID can trigger arbitrary workflow execution with custom input, leading to JavaScript code execution, notification abuse, and data manipulation. This represents a high‑severity flaw in the form of missing authentication controls (CWE-306), allowing a remote attacker to compromise confidentiality, integrity, and availability of the system.

Affected Systems

The affected product is the OneUptime monitoring and observability platform, specifically its Worker service ManualAPI. Versions prior to 10.0.42 are vulnerable; the issue was fixed in the 10.0.42 release. Vulnerability involves the /workflow/manual/run/:workflowId GET and POST endpoints which allow unauthenticated workflow execution.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.2, indicating critical impact, while the EPSS score is below 1%, suggesting a low probability of exploitation so far. It is not listed in the CISA KEV catalog. Based on the description, the attack vector is remote and unauthenticated; an attacker needs to obtain or guess a valid workflow ID to exploit the flaw, but no additional privileged access is required.

Generated by OpenCVE AI on April 13, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply OneUptime version 10.0.42 or later to remove the unauthenticated ManualAPI endpoints.
  • If upgrading immediately is not possible, restrict access to the /workflow/manual/run/ endpoints with firewall rules or VPN authentication to prevent unauthenticated traffic.
  • Configure the Worker service to require authentication for all manual workflow execution APIs.
  • Disable or delete unused or unnecessary workflows to reduce the attack surface.
  • Monitor logs for unexpected or unauthorized workflow executions and alert on suspicious activity.

Generated by OpenCVE AI on April 13, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.
Title OneUptime: Unauthenticated Workflow Execution via ManualAPI
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T15:46:38.420Z

Reserved: 2026-03-31T21:06:06.429Z

Link: CVE-2026-35053

cve-icon Vulnrichment

Updated: 2026-04-03T15:46:32.034Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T20:16:29.117

Modified: 2026-04-13T18:46:50.110

Link: CVE-2026-35053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:53Z

Weaknesses