Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.
AnalysisAI
Unauthenticated remote code execution in OneUptime monitoring platform (versions < 10.0.42) allows attackers to trigger arbitrary workflow execution with controlled input data via exposed Worker service ManualAPI endpoints. The vulnerability enables JavaScript code execution, notification system abuse, and data manipulation without any authentication requirement. CVSS 9.2 (Critical) with network attack vector and low complexity; no public exploit identified at time of analysis, though the authentication bypass combined with RCE capability presents immediate risk to exposed instances.
Technical ContextAI
OneUptime is an open-source monitoring and observability platform that uses workflow automation to orchestrate responses to system events. The Worker service component implements a ManualAPI that exposes workflow execution endpoints (GET and POST /workflow/manual/run/:workflowId) for triggering automated workflows. This vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where these critical endpoints lack any authentication middleware layer. The workflow execution engine accepts arbitrary input data and can execute JavaScript code as part of workflow logic, creating a direct path from unauthenticated network access to code execution. The affected component (cpe:2.3:a:oneuptime:oneuptime) is the core platform package prior to version 10.0.42. The CVSS 4.0 vector indicates network-accessible (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and high impact to confidentiality, integrity, and availability of the vulnerable system (VC:H/VI:H/VA:H), though with present attack requirements (AT:P) suggesting specific conditions must be met.
RemediationAI
Vendor-released patch: version 10.0.42. Organizations running OneUptime should immediately upgrade to version 10.0.42 or later, which implements proper authentication controls on the Worker service ManualAPI endpoints. The fix is available through the standard release channel at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42. For organizations unable to patch immediately, temporary mitigation includes restricting network access to the Worker service ManualAPI endpoints using firewall rules or reverse proxy authentication, ensuring these endpoints are not accessible from untrusted networks. Network segmentation should isolate OneUptime Worker services from public internet exposure. Organizations should audit logs for suspicious workflow execution attempts, particularly focusing on unusual workflow IDs or execution patterns from unexpected source IPs. After patching, conduct a security review to identify any unauthorized workflow executions that may have occurred while the vulnerability was present. Consult the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6c3w-7xg4-4cf7 for additional vendor guidance and detection strategies.
OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring conf
OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.8), this vulnerability
OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by
OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.3), this vulnerability
OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validatio
Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from
OneUptime is a solution for monitoring and managing online services. Rated medium severity (CVSS 6.9), this vulnerabilit
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18542