CVE-2026-29779
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains sensitive data) from the same module. Due to pages/incidents.tsx importing and using workerConfig directly inside client-side component code, the entire workerConfig object was included in the client-side JavaScript bundle served to all visitors. This issue has been patched via commit 377a596.
Analysis
UptimeFlare's configuration management fails to segregate server-only sensitive data from client-side code, causing the workerConfig object containing confidential settings to be exposed in the JavaScript bundle delivered to all website visitors. This information disclosure allows attackers to view sensitive configuration details without authentication. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: audit all UptimeFlare deployments to confirm version and exposure status; notify relevant stakeholders of potential exposure. Within 7 days: apply available patch (commit 377a596 or later) across all production and non-production instances; rotate any exposed credentials and API keys as precaution. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today