Skip to main content

Oneuptime CVE-2026-35053

| EUVDEUVD-2026-18542 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-04-02 GitHub_M
9.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:46 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.0.42
EUVD ID Assigned
Apr 02, 2026 - 19:31 euvd
EUVD-2026-18542
Analysis Generated
Apr 02, 2026 - 19:31 vuln.today
CVE Published
Apr 02, 2026 - 18:55 nvd
CRITICAL 9.2

DescriptionGitHub Advisory

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.

AnalysisAI

Unauthenticated remote code execution in OneUptime monitoring platform (versions < 10.0.42) allows attackers to trigger arbitrary workflow execution with controlled input data via exposed Worker service ManualAPI endpoints. The vulnerability enables JavaScript code execution, notification system abuse, and data manipulation without any authentication requirement. CVSS 9.2 (Critical) with network attack vector and low complexity; no public exploit identified at time of analysis, though the authentication bypass combined with RCE capability presents immediate risk to exposed instances.

Technical ContextAI

OneUptime is an open-source monitoring and observability platform that uses workflow automation to orchestrate responses to system events. The Worker service component implements a ManualAPI that exposes workflow execution endpoints (GET and POST /workflow/manual/run/:workflowId) for triggering automated workflows. This vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where these critical endpoints lack any authentication middleware layer. The workflow execution engine accepts arbitrary input data and can execute JavaScript code as part of workflow logic, creating a direct path from unauthenticated network access to code execution. The affected component (cpe:2.3:a:oneuptime:oneuptime) is the core platform package prior to version 10.0.42. The CVSS 4.0 vector indicates network-accessible (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and high impact to confidentiality, integrity, and availability of the vulnerable system (VC:H/VI:H/VA:H), though with present attack requirements (AT:P) suggesting specific conditions must be met.

RemediationAI

Vendor-released patch: version 10.0.42. Organizations running OneUptime should immediately upgrade to version 10.0.42 or later, which implements proper authentication controls on the Worker service ManualAPI endpoints. The fix is available through the standard release channel at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42. For organizations unable to patch immediately, temporary mitigation includes restricting network access to the Worker service ManualAPI endpoints using firewall rules or reverse proxy authentication, ensuring these endpoints are not accessible from untrusted networks. Network segmentation should isolate OneUptime Worker services from public internet exposure. Organizations should audit logs for suspicious workflow execution attempts, particularly focusing on unusual workflow IDs or execution patterns from unexpected source IPs. After patching, conduct a security review to identify any unauthorized workflow executions that may have occurred while the vulnerability was present. Consult the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6c3w-7xg4-4cf7 for additional vendor guidance and detection strategies.

CVE-2026-27728 CRITICAL POC
9.9 Feb 25

OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands

CVE-2026-30957 CRITICAL POC
9.9 Mar 10

OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2026-30887 CRITICAL POC
9.9 Mar 10

OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring conf

CVE-2026-30956 CRITICAL POC
9.9 Mar 10

OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.

CVE-2026-30921 CRITICAL POC
9.9 Mar 10

OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.

CVE-2025-65966 HIGH POC
8.8 Nov 26

OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-30920 HIGH POC
8.6 Mar 10

OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by

CVE-2024-29194 HIGH POC
8.3 Mar 24

OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.3), this vulnerability

CVE-2026-28787 HIGH POC
8.2 Mar 06

OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validatio

CVE-2026-30958 HIGH POC
7.2 Mar 10

Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from

CVE-2025-66028 MEDIUM POC
6.9 Nov 26

OneUptime is a solution for monitoring and managing online services. Rated medium severity (CVSS 6.9), this vulnerabilit

Share

CVE-2026-35053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy