CVE-2026-30957 in oneuptime
Summary
by MITRE • 03/10/2026
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability identified as CVE-2026-30957 affects OneUptime, a comprehensive monitoring and management solution for online services. This critical security flaw exists in versions prior to 10.0.21 and represents a server-side remote code execution vulnerability that significantly undermines the platform's security posture. The issue specifically targets OneUptime Synthetic Monitors, which are designed to test and monitor service availability and performance across various environments. The vulnerability enables low-privileged authenticated project users to escalate their privileges and execute arbitrary commands on the underlying oneuptime-probe server or container, creating a severe attack surface that could compromise the entire monitoring infrastructure.
The technical root cause of this vulnerability lies in the improper handling of untrusted Synthetic Monitor code execution within Node.js's vm module. When malicious users inject code into the monitoring system, the platform executes this code within a Node.js virtual machine while simultaneously exposing live host-realm Playwright browser and page objects to the untrusted execution environment. This design flaw creates a direct pathway for privilege escalation through the Playwright browser automation APIs. The vulnerability is particularly dangerous because it does not require additional sandbox escape techniques or complex exploitation methods, making it accessible to attackers with minimal privileges. The exposed Playwright objects allow malicious code to directly control browser processes and spawn attacker-controlled executables, effectively bypassing traditional security boundaries that should protect the underlying system infrastructure.
The operational impact of this vulnerability extends beyond simple remote code execution, creating a comprehensive threat vector that could lead to complete system compromise. Attackers with access to a project user account could leverage this vulnerability to gain full control over the oneuptime-probe server or container, potentially accessing sensitive monitoring data, disrupting service availability, or using the compromised system as a launchpad for further attacks within the network. The vulnerability affects the core monitoring functionality of OneUptime, which means that successful exploitation could lead to data exfiltration, service disruption, or the establishment of persistent backdoors within the monitored environment. This type of vulnerability directly violates security principles outlined in CWE-74 and CWE-94, which address code injection and insecure deserialization issues, and aligns with ATT&CK techniques related to privilege escalation and command execution.
The mitigation strategy for this vulnerability is straightforward yet critical: organizations must immediately upgrade to OneUptime version 10.0.21 or later, which contains the necessary patches to address the security flaw. System administrators should also implement additional monitoring and access controls around the Synthetic Monitor functionality to detect any anomalous behavior that might indicate exploitation attempts. Security teams should review access controls to ensure that only authorized personnel have the ability to create or modify Synthetic Monitors, as this vulnerability specifically targets authenticated project users. The fix implemented in version 10.0.21 likely involves stricter isolation of untrusted code execution, removal of direct browser object exposure, or implementation of additional validation mechanisms to prevent malicious code from accessing Playwright APIs. Organizations using older versions should conduct immediate security assessments to identify any potential compromise and implement compensating controls until the upgrade is complete.