CVE-2026-30887: OneUptime

Overview

A critical security vulnerability, tracked as CVE-2026-30887, has been discovered in the OneUptime monitoring platform. This flaw allows authenticated project members to execute arbitrary system commands on the underlying server, leading to a full compromise of the monitoring system and potentially the entire backend cluster.

Vulnerability Details

OneUptime versions prior to 10.0.18 include a feature called Synthetic Monitors, which lets users run custom JavaScript code to test websites. This code was executed inside a sandbox created by Node.js’s vm module, which is not designed for security isolation. An attacker with project member access can craft malicious code that escapes this sandbox using a known JavaScript technique (this.constructor.constructor). Once escaped, the attacker gains direct access to the Node.js process running in the oneuptime-probe container, enabling full Remote Code Execution (RCE).

Impact and Risks

The severity of this vulnerability is critical (CVSS: 9.9). Successful exploitation leads to:

• Complete Container Compromise: Attackers can run any command on the oneuptime-probe container.
• Cluster-Wide Breach: Since the probe container stores sensitive database and cluster credentials in its environment variables, an attacker can steal these to compromise the entire backend infrastructure.
• Data Theft and Service Disruption: This access can be used to exfiltrate all monitored service data, alter monitoring configurations, or disrupt operations. For context on how such breaches unfold, recent incidents are detailed in our breach reports.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Fix:

• Upgrade Immediately: All users must upgrade their OneUptime installation to version 10.0.18 or later, which contains the patch for this vulnerability. No workarounds are available.

Additional Security Measures:

• Review Access Controls: Audit and minimize the number of users with project member permissions to use Synthetic Monitors.
• Monitor for Anomalies: Check system and container logs for any suspicious command execution or unauthorized access attempts, especially around the oneuptime-probe service.
• Isolate Credentials: As a general best practice, consider reviewing how sensitive credentials are stored and accessed by application containers to limit the blast radius of any future vulnerabilities.

Staying informed about such critical updates is crucial for maintaining security. For the latest on vulnerabilities and patches, follow our security news.