DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30957: CVE-2026-30957: Remote Code Execution via Insecure Sandbox Exposure in OneUptime

#security #cve #cybersecurity

CVE-2026-30957: Remote Code Execution via Insecure Sandbox Exposure in OneUptime

Vulnerability ID: CVE-2026-30957
CVSS Score: 10.0
Published: 2026-03-10

OneUptime versions prior to 10.0.21 contain a critical server-side remote code execution vulnerability within the Synthetic Monitor component. The application improperly injects a host-realm Playwright browser object into an isolated Node.js VM context. Authenticated attackers can invoke Playwright process management methods to escape the sandbox and execute arbitrary commands on the underlying probe container.

TL;DR

Insecure injection of a host-realm Playwright object into a Node.js sandbox allows authenticated OneUptime users to achieve remote code execution on the probe server.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-749
  • Attack Vector: Network
  • Privileges Required: Low (Authenticated)
  • CVSS Score: 10.0
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • OneUptime Synthetic Monitors
  • oneuptime-probe container
  • OneUptime: < 10.0.21 (Fixed in: 10.0.21)

Code Analysis

Commit: ce25397

Security patch removing browser object from VM context and updating VMRunner blocklist.

--- a/Probe/Utils/Monitors/MonitorTypes/SyntheticMonitor.ts
+++ b/Probe/Utils/Monitors/MonitorTypes/SyntheticMonitor.ts
-      browser: browserSession.browser,
--- a/Common/Server/Utils/VM/VMRunner.ts
+++ b/Common/Server/Utils/VM/VMRunner.ts
+  "browserType",
+  "launch",
+  "launchPersistentContext",
+  "connectOverCDP",
+  "newCDPSession",
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update OneUptime application and probe components to version 10.0.21.
  • Implement strict Role-Based Access Control (RBAC) to restrict Synthetic Monitor creation.
  • Apply network egress filtering to the oneuptime-probe containers.
  • Run the probe container as a non-root user with dropped Linux capabilities.
  • Block container access to cloud metadata services (e.g., IMDSv2).

Remediation Steps:

  1. Identify all deployed instances of the OneUptime stack, specifically the oneuptime-probe containers.
  2. Verify the current running version. If the version is below 10.0.21, proceed with the upgrade.
  3. Update the container images to tag 10.0.21 or the latest stable release.
  4. Restart the probe services to ensure the patched application code is loaded into memory.
  5. Audit existing Synthetic Monitor configurations for unauthorized modifications or malicious payloads.

Read the full report for CVE-2026-30957 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)