CRITICAL🇵🇱 Wersja polska

CVE-2026-33396

CVSS 9.9v3.1pub. 2026-03-26

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse `page.context().browser()._browserType.launchServer(...)` and spawn arbitrary processes. Version 10.0.35 contains a patch.

🤖 AI Analysis
How it works

Synthetic Monitor scripts are executed in the VMRunner.runCodeInNodeVM environment with an active Playwright page object available in the context. The protection mechanism relies on a denylist of blocked properties and methods, however this list is incomplete — the `_browserType` property and the `launchServer` method are not blocked. An attacker can traverse the path `page.context().browser()._browserType.launchServer(...)`, which allows execution of arbitrary system processes on the Probe host or container.

Impact

An attacker with ProjectMember privileges can execute arbitrary system commands on the Probe container or host, gaining full control over the runtime environment (confidentiality, integrity, and availability of the system are fully compromised).

Mitigation & patch

OneUptime should be updated to version 10.0.35, which contains a patch that eliminates the vulnerability by supplementing the denylist with the `_browserType` property and the `launchServer` method. Patch available in vendor references (commit e8e4ee3ff0740eb131045ab3d67453141c46178a on GitHub).

Who is affected

OneUptime (Hackerbay) in versions prior to 10.0.35

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Hackerbay Oneuptime

    APP
    Hackerbay
    < 10.0.35
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
ContainerCommand Injection
CWE
References

Related vulnerabilities

CVE-2026-34758CRITICAL9.1PL ✓ten sam produkt

OneUptime: nieautoryzowany dostęp do endpointów powiadomień i zarządzania numerami

CVE-2026-35053CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w endpointach workflow w OneUptime (RCE)

CVE-2026-34759CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w API powiadomień OneUptime — obejście autoryzacji

CVE-2026-32306CRITICAL9.9PL ✓ten sam produkt

SQL Injection w OneUptime — nieautoryzowany dostęp do bazy i potencjalny RCE

CVE-2026-30921CRITICAL9.9PL ✓ten sam produkt

OneUptime: RCE przez niebezpieczny Playwright sandbox w Synthetic Monitors