CVE-2026-30958
Path Traversal in OneUptime Workflow Allows Arbitrary File Read
Publication date: 2026-03-10
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hackerbay | oneuptime | to 10.0.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30958 is a high-severity unauthenticated path traversal vulnerability in the OneUptime monitoring solution, affecting versions prior to 10.0.21.
The vulnerability exists in the `/workflow/docs/:componentName` endpoint, where the `componentName` parameter is directly concatenated into a file path used by the server to send files without any sanitization or authentication.
This allows an attacker to perform path traversal attacks to read arbitrary files from the server filesystem, including sensitive files like `/etc/passwd` and `.env`.
The `.env` file contains critical environment variables such as encryption secrets and database passwords, which can be exploited to forge admin authentication tokens and gain full control over the platform.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Unauthenticated attackers can read arbitrary files on the server.
- Exposure of sensitive environment secrets, database credentials, TLS private keys, and application source code.
- Attackers can forge admin authentication tokens using leaked encryption secrets, potentially gaining full administrative control over the platform.
- This can lead to a full system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the unauthenticated path traversal in the /workflow/docs/:componentName endpoint to read arbitrary files from the server filesystem.'}, {'type': 'paragraph', 'content': "A common detection method is to send HTTP requests to the vulnerable endpoint with path traversal payloads such as '../' sequences to try to access sensitive files like /etc/passwd or .env."}, {'type': 'paragraph', 'content': 'Example commands using curl to test the vulnerability include:'}, {'type': 'list_item', 'content': 'curl -v http://<target>/{APP_NAME}/docs/../../../../etc/passwd'}, {'type': 'list_item', 'content': 'curl -v http://<target>/{APP_NAME}/docs/../../../../.env'}, {'type': 'paragraph', 'content': 'If the response contains contents of these files, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade the OneUptime application to version 10.0.21 or later, where this vulnerability is fixed.
- Implement validation of the componentName parameter against an allowlist of known documentation files.
- Strip path separators and resolve the path to ensure it remains within the intended directory.
- Add authentication middleware to restrict access to the /workflow/docs/:componentName endpoint.