CVE-2026-30887
Remote Code Execution in OneUptime Synthetic Monitors via Sandbox Escape
Publication date: 2026-03-10
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hackerbay | oneuptime | to 10.0.18 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30887 is a critical Remote Code Execution (RCE) vulnerability in the OneUptime npm package versions prior to 10.0.18. It occurs because OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors, which is executed using Node.js's vm module without proper sandboxing or filtering."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by using a prototype chain escape payload (this.constructor.constructor) to bypass the sandbox and gain access to the underlying Node.js process object. This access enables execution of arbitrary system commands on the oneuptime-probe container.'}, {'type': 'paragraph', 'content': 'Since the probe container holds sensitive environment variables such as database and cluster credentials, this leads to a complete cluster compromise. The exploit can be triggered through the OneUptime web dashboard by any user with Project Member permissions.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker with Project Member permissions to execute arbitrary system commands on the oneuptime-probe container, resulting in full Remote Code Execution (RCE).
Because the probe container holds sensitive environment variables including database and cluster credentials, an attacker can exfiltrate these secrets and gain complete control over the entire cluster.
The impact includes full compromise of confidentiality, integrity, and availability of the affected system and its data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your OneUptime installation is running a version prior to 10.0.18, as those versions are vulnerable.
Additionally, monitoring for suspicious Synthetic Monitor creations or modifications in the OneUptime web dashboard by project members can help detect exploitation attempts.
Since the exploit involves executing arbitrary JavaScript code via the Playwright script editor, reviewing logs or audit trails for unusual or unauthorized Playwright scripts may indicate an attack.
There are no specific commands provided in the resources to detect the vulnerability directly on the system or network.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade OneUptime to version 10.0.18 or later, where this vulnerability has been fixed.
Restrict project member permissions to trusted users only, as any project member can exploit this vulnerability by injecting malicious code.
If possible, disable or restrict the creation and editing of Synthetic Monitors that allow custom Playwright/JavaScript code execution until the patch is applied.
Monitor and audit the environment variables and credentials exposed to the probe container, and consider rotating secrets such as ONEUPTIME_SECRET and DATABASE_PASSWORD after patching.