Vulnerability Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hackerbay | Oneuptime | < 10.0.18 |
Related Weaknesses (CWE)
References
- https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67ExploitVendor Advisory
- https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67ExploitVendor Advisory
FAQ
What is CVE-2026-30887?
CVE-2026-30887 is a vulnerability with a CVSS score of 9.9 (CRITICAL). OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites...
How severe is CVE-2026-30887?
CVE-2026-30887 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-30887?
Check the references section above for vendor advisories and patch information. Affected products include: Hackerbay Oneuptime.