CVE-2026-30921
Remote Code Execution via Playwright in OneUptime Synthetic Monitors
Publication date: 2026-03-10
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hackerbay | oneuptime | to 10.0.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-749 | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30921 is a critical server-side Remote Code Execution (RCE) vulnerability in OneUptime's Synthetic Monitor feature affecting versions prior to 10.0.20."}, {'type': 'paragraph', 'content': 'Low-privileged project users can submit custom Playwright code that is executed on the oneuptime-probe service inside a Node.js VM context. However, this VM context is given live Playwright objects such as browser and page without sufficient sandboxing.'}, {'type': 'paragraph', 'content': 'Because these dangerous host capability objects are exposed directly, attackers can bypass traditional sandbox escapes and use the injected Playwright browser object to launch arbitrary executables on the probe host or container.'}, {'type': 'paragraph', 'content': 'This means an attacker with normal project membership permissions can execute arbitrary code on the server by submitting malicious Playwright scripts.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows attackers with low privileges to execute arbitrary code on the probe host or container.
An attacker can gain access to internal services, secrets, Kubernetes metadata, database credentials, proxy credentials, and other sensitive cluster-local resources.
The impact includes a complete compromise of confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your OneUptime installation is running a version prior to 10.0.20 and if the Synthetic Monitor feature is enabled allowing low-privileged users to submit custom Playwright scripts.
To detect exploitation attempts or presence of malicious activity, you can monitor the execution of Playwright scripts on the oneuptime-probe service and look for unusual or unauthorized commands being run via the Playwright browser object.
Since the vulnerability involves execution of arbitrary commands on the probe host, you can check for suspicious processes or commands spawned by the oneuptime-probe container or host.
- Check the OneUptime version: `oneuptime --version` or check the installed package version.
- Inspect logs of the oneuptime-probe service for execution of unexpected Playwright scripts or commands.
- Use system commands to detect suspicious processes spawned by the probe host, for example: `ps aux | grep oneuptime-probe` or `ps aux | grep node`.
- Monitor network traffic for unusual outbound connections initiated by the probe host.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade OneUptime to version 10.0.20 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, restrict or disable the ability for low-privileged users to submit or edit Synthetic Monitor Playwright scripts to prevent exploitation.
Monitor and audit the usage of the Synthetic Monitor feature closely to detect any suspicious activity.
Consider isolating the oneuptime-probe service in a restricted environment or container with limited permissions to reduce the impact of potential exploitation.