CVE-2026-30887
Received Received - Intake
Remote Code Execution in OneUptime Synthetic Monitors via Sandbox Escape

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30887
EUVD
EUVD-2026-10420
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.18 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30887 is a critical Remote Code Execution (RCE) vulnerability in the OneUptime npm package versions prior to 10.0.18. It occurs because OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors, which is executed using Node.js's vm module without proper sandboxing or filtering."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by using a prototype chain escape payload (this.constructor.constructor) to bypass the sandbox and gain access to the underlying Node.js process object. This access enables execution of arbitrary system commands on the oneuptime-probe container.'}, {'type': 'paragraph', 'content': 'Since the probe container holds sensitive environment variables such as database and cluster credentials, this leads to a complete cluster compromise. The exploit can be triggered through the OneUptime web dashboard by any user with Project Member permissions.'}] [1]

Impact Analysis

This vulnerability allows an attacker with Project Member permissions to execute arbitrary system commands on the oneuptime-probe container, resulting in full Remote Code Execution (RCE).

Because the probe container holds sensitive environment variables including database and cluster credentials, an attacker can exfiltrate these secrets and gain complete control over the entire cluster.

The impact includes full compromise of confidentiality, integrity, and availability of the affected system and its data.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if your OneUptime installation is running a version prior to 10.0.18, as those versions are vulnerable.

Additionally, monitoring for suspicious Synthetic Monitor creations or modifications in the OneUptime web dashboard by project members can help detect exploitation attempts.

Since the exploit involves executing arbitrary JavaScript code via the Playwright script editor, reviewing logs or audit trails for unusual or unauthorized Playwright scripts may indicate an attack.

There are no specific commands provided in the resources to detect the vulnerability directly on the system or network.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade OneUptime to version 10.0.18 or later, where this vulnerability has been fixed.

Restrict project member permissions to trusted users only, as any project member can exploit this vulnerability by injecting malicious code.

If possible, disable or restrict the creation and editing of Synthetic Monitors that allow custom Playwright/JavaScript code execution until the patch is applied.

Monitor and audit the environment variables and credentials exposed to the probe container, and consider rotating secrets such as ONEUPTIME_SECRET and DATABASE_PASSWORD after patching.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart