CVE-2026-27574: OneUptime [PoC]

Overview

A critical security vulnerability has been identified in OneUptime, a service monitoring platform. This flaw allows an unauthenticated attacker to completely compromise the entire OneUptime cluster and gain access to its most sensitive credentials.

Vulnerability Description

In affected versions, a feature called the “custom JavaScript monitor” uses an unsafe method to run user-provided code. This method, Node.js’s node:vm module, is explicitly not designed for security and can be easily bypassed. An attacker can exploit this with a simple, well-known command to break out of the intended restricted environment.

Once escaped, the attacking code runs with the full privileges of the OneUptime probe process. This process has access to the host network and, most critically, stores all the core cluster secrets-like database and Redis passwords-in its environment variables.

Impact

The impact of this vulnerability is severe (CRITICAL, CVSS: 9.9). By creating a malicious monitor, any user with the lowest-level role (ProjectMember) can execute arbitrary code on the host. With open registration enabled by default, this means an anonymous user could potentially achieve the following in under a minute:

• Steal all environment secrets (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD).
• Gain full control over the OneUptime application and its underlying databases.
• Use the compromised cluster as a foothold to attack other internal systems on the network.

Affected Versions

OneUptime versions 9.5.13 and below are vulnerable.

Remediation and Mitigation

Immediate action is required to protect your cluster.

Primary Fix: Upgrade The only complete solution is to upgrade your OneUptime installation to version 10.0.5 or later, where this vulnerability has been patched.

Immediate Mitigation (If Upgrade is Delayed): If you cannot upgrade immediately, you must take these steps to reduce risk:

1. Disable Open Registration: In your OneUptime settings, turn off the option for open user registration.
2. Restrict Monitor Creation: Immediately review and adjust role permissions. Ensure the ProjectMember role does not have the ability to create or modify custom JavaScript monitors. Limit this capability to essential, trusted administrators only.
3. Audit Logs: Review audit logs for any suspicious monitor creation activity, especially from recently created user accounts.

All users running a vulnerable version should treat their cluster credentials as potentially compromised and rotate all secrets (database, Redis, ClickHouse passwords, and the ONEUPTIME_SECRET) after applying the upgrade.