Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-27574 is a critical remote code execution vulnerability in OneUptime versions 9.5.13 and below. It arises because the custom JavaScript monitor feature executes user-supplied code using Node.js's native vm module, which is explicitly not designed as a security sandbox. This allows attackers to escape the sandbox trivially using a known one-liner, gaining full access to the underlying process."}, {'type': 'paragraph', 'content': 'Since the probe runs with host networking and holds sensitive cluster credentials in environment variables, and because monitor creation is available to even the lowest user role with open registration enabled by default, any anonymous user can exploit this to achieve full cluster compromise quickly.'}] [2]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code on the OneUptime probe host with low privileges and no user interaction. By exploiting the sandbox escape, the attacker gains access to all sensitive environment variables containing cluster credentials, enabling full compromise of the entire cluster.

• Full remote code execution on the probe host.
• Access to sensitive credentials such as ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, and CLICKHOUSE_PASSWORD.
• Ability to connect directly to and compromise PostgreSQL, Redis, and ClickHouse services.
• Complete cluster takeover without needing admin privileges or special configuration.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your OneUptime installation is running a version 9.5.13 or below, which uses the unsafe Node.js vm module for executing user-supplied JavaScript code in monitors.'}, {'type': 'paragraph', 'content': "You can also look for monitors created by low-privilege users (ProjectMember role) that contain custom JavaScript code using the known sandbox escape pattern: `this.constructor.constructor('return process')()`."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of malicious monitors, you might search logs or monitor configurations for this pattern or suspicious commands executed via the probe.'}, {'type': 'list_item', 'content': 'Check OneUptime version: `oneuptime --version` or check the installed package version.'}, {'type': 'list_item', 'content': 'Search monitor configurations for suspicious custom JavaScript code containing sandbox escape: `grep -r "this.constructor.constructor(\'return process\')()" /path/to/oneuptime/monitors`'}, {'type': 'list_item', 'content': 'Inspect logs for commands or environment variable leaks related to the probe process.'}] [2]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade OneUptime to version 10.0.5 or later, where the vulnerability is fixed by replacing the unsafe Node.js vm module with the secure isolated-vm library and running user scripts in isolated child processes.

If upgrading immediately is not possible, consider disabling the custom JavaScript monitor feature or restricting monitor creation permissions to trusted users only, to prevent untrusted code execution.

Additionally, review and rotate all sensitive environment credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) as they may have been compromised.

• Upgrade OneUptime to version 10.0.5 or later.
• Disable or restrict creation of custom JavaScript monitors.
• Rotate all cluster credentials stored in environment variables.
• Monitor logs and audit for any signs of exploitation.

Useful 0 Not Useful 0