Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30957 is a critical server-side remote code execution vulnerability in OneUptime's Synthetic Monitor feature affecting versions prior to 10.0.21."}, {'type': 'paragraph', 'content': "The issue arises because untrusted Synthetic Monitor scripts, created by low-privileged authenticated project users, are executed inside Node.js's vm module with live Playwright browser and page objects exposed directly in the VM context."}, {'type': 'paragraph', 'content': 'This exposure allows a malicious user to invoke Playwright APIs on the injected browser object and spawn arbitrary attacker-controlled executables on the oneuptime-probe server or container without needing to escape the VM sandbox.'}, {'type': 'paragraph', 'content': 'In essence, an attacker with permission to create or edit monitors can craft a Playwright script that launches system shell commands on the host, leading to remote code execution.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated project member with permissions to create or edit Synthetic Monitors to execute arbitrary commands on the probe server or container.

An attacker can leverage this to access internal services, secrets, Kubernetes metadata, database credentials, proxy credentials, or other sensitive cluster-local resources.

The impact includes full compromise of confidentiality, integrity, and availability of the affected system, as the attacker can run any code on the host.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if any low-privileged authenticated project user has created or edited Synthetic Monitors with custom Playwright scripts that execute arbitrary commands on the oneuptime-probe server or container.

Specifically, detection involves reviewing Synthetic Monitor scripts for suspicious usage of Playwright APIs such as calls to browser.browserType().launch() with parameters like executablePath set to system shells (e.g., /bin/sh) and arguments that execute commands.

Since the vulnerability allows remote code execution via these scripts, monitoring logs for unexpected process spawns or command executions on the probe server/container can also help detect exploitation.

Suggested commands to detect suspicious activity might include:

• Checking running processes or recent process execution on the probe server: `ps aux | grep sh` or `ps aux | grep node`
• Reviewing logs for command executions or errors related to Playwright or Synthetic Monitor executions.
• Auditing Synthetic Monitor scripts via the OneUptime dashboard or API to identify scripts that invoke Playwright launch with unusual parameters.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade OneUptime to version 10.0.21 or later, where this vulnerability is fixed.

Until the upgrade is applied, restrict permissions to create or edit Synthetic Monitors to only fully trusted users, as any authenticated project member with these permissions can exploit this vulnerability.

Additionally, consider disabling or limiting the use of Synthetic Monitors that run custom Playwright scripts to prevent execution of untrusted code.

Monitor the probe server/container for suspicious activity such as unexpected process executions or network connections that could indicate exploitation.

Useful 0 Not Useful 0