CVE-2026-30958
Received Received - Intake
Path Traversal in OneUptime Workflow Allows Arbitrary File Read

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30958
EUVD
EUVD-2026-10563
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30958 is a high-severity unauthenticated path traversal vulnerability in the OneUptime monitoring solution, affecting versions prior to 10.0.21.

The vulnerability exists in the `/workflow/docs/:componentName` endpoint, where the `componentName` parameter is directly concatenated into a file path used by the server to send files without any sanitization or authentication.

This allows an attacker to perform path traversal attacks to read arbitrary files from the server filesystem, including sensitive files like `/etc/passwd` and `.env`.

The `.env` file contains critical environment variables such as encryption secrets and database passwords, which can be exploited to forge admin authentication tokens and gain full control over the platform.

Impact Analysis

This vulnerability can have severe impacts including:

  • Unauthenticated attackers can read arbitrary files on the server.
  • Exposure of sensitive environment secrets, database credentials, TLS private keys, and application source code.
  • Attackers can forge admin authentication tokens using leaked encryption secrets, potentially gaining full administrative control over the platform.
  • This can lead to a full system compromise.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the unauthenticated path traversal in the /workflow/docs/:componentName endpoint to read arbitrary files from the server filesystem.'}, {'type': 'paragraph', 'content': "A common detection method is to send HTTP requests to the vulnerable endpoint with path traversal payloads such as '../' sequences to try to access sensitive files like /etc/passwd or .env."}, {'type': 'paragraph', 'content': 'Example commands using curl to test the vulnerability include:'}, {'type': 'list_item', 'content': 'curl -v http://<target>/{APP_NAME}/docs/../../../../etc/passwd'}, {'type': 'list_item', 'content': 'curl -v http://<target>/{APP_NAME}/docs/../../../../.env'}, {'type': 'paragraph', 'content': 'If the response contains contents of these files, the system is vulnerable.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade the OneUptime application to version 10.0.21 or later, where this vulnerability is fixed.
  • Implement validation of the componentName parameter against an allowlist of known documentation files.
  • Strip path separators and resolve the path to ensure it remains within the intended directory.
  • Add authentication middleware to restrict access to the /workflow/docs/:componentName endpoint.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart