CVE-2026-29779
Received Received - Intake
Information Disclosure in UptimeFlare Due to Client-Side Config Leak

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains sensitive data) from the same module. Due to pages/incidents.tsx importing and using workerConfig directly inside client-side component code, the entire workerConfig object was included in the client-side JavaScript bundle served to all visitors. This issue has been patched via commit 377a596.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29779
EUVD
EUVD-2026-10152
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lyc8503 uptimeflare to 2026-03-04 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29779 is a sensitive data exposure vulnerability in the UptimeFlare project, a serverless uptime monitoring and status page solution. The issue arises because a private configuration object called workerConfig, which contains sensitive data such as credentials and monitor configurations, was mistakenly imported and bundled into client-side JavaScript code. This caused the entire workerConfig to be exposed to all visitors through their browsers.

The root cause was that client-side components like pages/incidents.tsx imported workerConfig directly, which should have been used only server-side. The vulnerability was fixed by refactoring the code to remove direct imports of workerConfig in client code, exposing only sanitized data via server-side rendering functions, and adding ESLint rules to prevent future improper imports.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to the full exposure of sensitive configuration data to any user visiting the UptimeFlare-powered site. Specifically, attackers or any users can access credentials and secrets such as API tokens, webhook URLs with embedded secrets (e.g., Telegram Bot API tokens, Discord webhook URLs), internal hostnames, IP addresses, TCP ports, HTTP authorization headers, and other confidential monitor configuration details.'}, {'type': 'paragraph', 'content': "Because these secrets are exposed in client-side JavaScript bundles, they can be easily extracted by inspecting the browser's developer tools, potentially allowing unauthorized access to notification channels and monitoring infrastructure."}, {'type': 'paragraph', 'content': 'The CVSS v3.1 base score of 7.5 reflects a high severity, with no privileges or user interaction required for exploitation, making it a serious risk.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the exposure of sensitive configuration data (workerConfig) in client-side JavaScript bundles of UptimeFlare. To detect it, you can inspect the client-side JavaScript served by your UptimeFlare deployment for the presence of sensitive data such as API tokens, webhook URLs, or internal hostnames.'}, {'type': 'paragraph', 'content': 'One practical approach is to fetch the client-side bundle files and search for keywords related to sensitive data. For example, you can use curl or wget to download the JavaScript bundle and grep to search for suspicious strings.'}, {'type': 'list_item', 'content': "curl -s https://your-uptimeflare-domain/_next/static/chunks/pages/incidents.js | grep -E 'token|webhook|Authorization|Bearer'"}, {'type': 'list_item', 'content': "Alternatively, inspect the browser's developer tools (Sources tab) to look for the presence of workerConfig or sensitive credentials in the loaded JavaScript files."}, {'type': 'paragraph', 'content': 'Since the vulnerability is caused by improper import of workerConfig in client-side code, reviewing your source code for imports of workerConfig in client components (e.g., pages/incidents.tsx, pages/index.tsx) can also help detect the issue.'}] [1, 2, 3]

Mitigation Strategies

The primary mitigation is to upgrade UptimeFlare to the patched version that includes commit 377a596 or later, which fixes the vulnerability by restricting workerConfig imports to server-side code only.

If immediate upgrading is not possible, you should temporarily remove all sensitive values from the workerConfig file to prevent exposure.

After upgrading or removing sensitive data, you must rotate all credentials that may have been exposed during the vulnerable period, including API tokens, webhook URLs, and other secrets.

  • Upgrade UptimeFlare to the latest version including commit 377a596.
  • Remove sensitive data from workerConfig if upgrade is delayed.
  • Rotate all potentially exposed credentials immediately.

No workaround exists without code changes, so applying the patch and rotating secrets is critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart