Executive Summary

CVE-2026-35053 is a critical security vulnerability in the OneUptime Worker service's ManualAPI component prior to version 10.0.42. The ManualAPI exposes two workflow execution endpoints without any authentication middleware, allowing anyone who can guess or obtain a workflow ID to trigger arbitrary workflow executions.

This means an attacker can send requests with attacker-controlled input data to these endpoints, causing the system to execute workflows with potentially malicious JavaScript code, abuse notification systems, manipulate data, or exhaust system resources.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several severe impacts:

• Remote code execution through workflows containing JavaScript components, potentially allowing internal network reconnaissance.
• Abuse of notification systems by triggering workflows that send emails, SMS, or webhooks, which can lead to spam, phishing, or notification fatigue.
• Data manipulation including creation, update, or deletion of incidents, alerts, or other resources, possibly causing data corruption or denial of service.
• Resource exhaustion due to lack of rate limiting, allowing rapid repeated execution that congests the worker queue.
• In multi-tenant SaaS deployments, all tenants’ workflows are vulnerable, increasing the scope of impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the vulnerable endpoints are accessible without authentication. Specifically, you can test the exposed ManualAPI endpoints: GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId.

A practical way to detect this is by using curl commands to send requests to these endpoints with a guessed or known workflow ID and observe the response.

• Use curl to send a POST request with JSON data to the endpoint and check if it executes without authentication:
• curl -X POST https://<your-oneuptime-domain>/workflow/manual/run/<workflow-uuid> -H "Content-Type: application/json" -d '{"data":{}}'
• If the response is not a 401 Unauthorized but instead a 400 Workflow not found or a successful execution response, it indicates the endpoint is exposed without authentication.

Additionally, check your logs, dashboard URLs, API responses, and webhook payloads for exposed workflow IDs that could be used to test these endpoints.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade OneUptime to version 10.0.42 or later, where this vulnerability has been patched by adding authentication middleware to the ManualAPI endpoints.

Until the upgrade can be performed, you should restrict access to the vulnerable endpoints by implementing network-level controls such as firewall rules or reverse proxy restrictions to block unauthenticated external access to /workflow/manual/run/* endpoints.

Additionally, review and rotate any exposed workflow IDs and audit logs for suspicious activity to limit potential exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to execute arbitrary workflows, including JavaScript code execution, notification abuse, and data manipulation. This can lead to unauthorized access, data corruption, and potential data breaches.

Such unauthorized actions and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and confidentiality.

Specifically, the lack of authentication on critical workflow execution endpoints violates principles of access control and data protection mandated by these regulations.

Useful 0 Not Useful 0