CVE-2026-30921
Received Received - Intake
Remote Code Execution via Playwright in OneUptime Synthetic Monitors

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-30921
EUVD
EUVD-2026-10434
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30921 is a critical server-side Remote Code Execution (RCE) vulnerability in OneUptime's Synthetic Monitor feature affecting versions prior to 10.0.20."}, {'type': 'paragraph', 'content': 'Low-privileged project users can submit custom Playwright code that is executed on the oneuptime-probe service inside a Node.js VM context. However, this VM context is given live Playwright objects such as browser and page without sufficient sandboxing.'}, {'type': 'paragraph', 'content': 'Because these dangerous host capability objects are exposed directly, attackers can bypass traditional sandbox escapes and use the injected Playwright browser object to launch arbitrary executables on the probe host or container.'}, {'type': 'paragraph', 'content': 'This means an attacker with normal project membership permissions can execute arbitrary code on the server by submitting malicious Playwright scripts.'}] [1]

Impact Analysis

This vulnerability allows attackers with low privileges to execute arbitrary code on the probe host or container.

An attacker can gain access to internal services, secrets, Kubernetes metadata, database credentials, proxy credentials, and other sensitive cluster-local resources.

The impact includes a complete compromise of confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by identifying if your OneUptime installation is running a version prior to 10.0.20 and if the Synthetic Monitor feature is enabled allowing low-privileged users to submit custom Playwright scripts.

To detect exploitation attempts or presence of malicious activity, you can monitor the execution of Playwright scripts on the oneuptime-probe service and look for unusual or unauthorized commands being run via the Playwright browser object.

Since the vulnerability involves execution of arbitrary commands on the probe host, you can check for suspicious processes or commands spawned by the oneuptime-probe container or host.

  • Check the OneUptime version: `oneuptime --version` or check the installed package version.
  • Inspect logs of the oneuptime-probe service for execution of unexpected Playwright scripts or commands.
  • Use system commands to detect suspicious processes spawned by the probe host, for example: `ps aux | grep oneuptime-probe` or `ps aux | grep node`.
  • Monitor network traffic for unusual outbound connections initiated by the probe host.
Mitigation Strategies

The immediate and most effective mitigation is to upgrade OneUptime to version 10.0.20 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict or disable the ability for low-privileged users to submit or edit Synthetic Monitor Playwright scripts to prevent exploitation.

Monitor and audit the usage of the Synthetic Monitor feature closely to detect any suspicious activity.

Consider isolating the oneuptime-probe service in a restricted environment or container with limited permissions to reduce the impact of potential exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30921. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart