CVE-2026-27574
📋 TL;DR
CVE-2026-27574 allows remote code execution in OneUptime monitoring software. Any user with ProjectMember role (including anonymous users via open registration) can execute arbitrary code that escapes the Node.js sandbox and gains full access to the cluster. This affects all OneUptime deployments running version 9.5.13 or earlier.
💻 Affected Systems
- OneUptime
📦 What is this software?
Oneuptime by Hackerbay
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise with access to all credentials (database, Redis, ClickHouse), allowing data theft, service disruption, and lateral movement.
Likely Case
Attackers gain administrative access to the monitoring system, steal credentials, and potentially compromise connected services.
If Mitigated
If registration is disabled and role-based access is properly configured, impact is limited to authenticated ProjectMember users.
🎯 Exploit Status
Exploit is a well-known one-liner that trivially escapes the Node.js vm sandbox. The advisory mentions exploitation takes about 30 seconds.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.5
Vendor Advisory: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-v264-xqh4-9xmm
Restart Required: Yes
Instructions:
1. Backup your OneUptime configuration and data. 2. Update to version 10.0.5 or later using your package manager or deployment method. 3. Restart all OneUptime services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable open registration
allPrevent anonymous users from creating accounts and obtaining ProjectMember role
Edit OneUptime configuration to disable open registration (specific command depends on deployment method)
Disable custom JavaScript monitors
allRemove the vulnerable feature entirely
Disable or remove the custom JavaScript monitor functionality in OneUptime configuration
🧯 If You Can't Patch
- Immediately disable open registration to prevent anonymous exploitation
- Restrict ProjectMember role creation and review existing ProjectMember accounts
🔍 How to Verify
Check if Vulnerable:
Check if your OneUptime version is 9.5.13 or earlier and if custom JavaScript monitors are enabledCheck Version:
Check OneUptime web interface or run appropriate version command for your deployment methodVerify Fix Applied:
Verify version is 10.0.5 or later and test that custom JavaScript monitors no longer allow sandbox escape📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript monitor creation
- Suspicious code execution in vm context
- Multiple failed then successful authentication attempts from new users
Network Indicators:
- Unexpected outbound connections from OneUptime server
- Traffic to database/Redis/ClickHouse from unusual processes
SIEM Query:
source="oneuptime" AND (event="monitor_created" OR event="code_execution") | where user_role="ProjectMember"