CVE-2026-30921
📋 TL;DR
CVE-2026-30921 allows low-privileged project users in OneUptime to execute arbitrary code on the probe host/container through synthetic monitors. Attackers can abuse Playwright browser objects to spawn arbitrary executables, leading to server-side remote code execution. All OneUptime deployments prior to version 10.0.20 are affected.
💻 Affected Systems
- OneUptime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the probe host/container, allowing attackers to execute arbitrary commands, install malware, pivot to other systems, and potentially compromise the entire monitoring infrastructure.
Likely Case
Attackers with low-privileged project access can execute arbitrary code on probe hosts, potentially gaining full control over monitoring infrastructure and accessing sensitive monitoring data.
If Mitigated
With proper network segmentation and least privilege access, impact could be limited to the probe container/host, preventing lateral movement to critical systems.
🎯 Exploit Status
Exploitation requires low-privileged project user access. The vulnerability provides direct RCE without needing complex sandbox escapes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.20
Vendor Advisory: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8
Restart Required: Yes
Instructions:
1. Update OneUptime to version 10.0.20 or later. 2. Restart all OneUptime services. 3. Verify the synthetic monitors feature no longer allows direct Playwright object access.
🔧 Temporary Workarounds
Disable Synthetic Monitors
allTemporarily disable the synthetic monitors feature to prevent exploitation.
# Configuration dependent - modify OneUptime configuration to disable synthetic monitors
Restrict User Permissions
allRemove synthetic monitor permissions from low-privileged users.
# Use OneUptime admin interface to modify user permissions
🧯 If You Can't Patch
- Implement strict network segmentation to isolate probe hosts/containers from critical systems
- Apply principle of least privilege - remove synthetic monitor access from all non-essential users
🔍 How to Verify
Check if Vulnerable:
Check if OneUptime version is below 10.0.20 and if synthetic monitors feature is enabled.Check Version:
Check OneUptime admin dashboard or run appropriate version check command for your deployment methodVerify Fix Applied:
Verify version is 10.0.20 or later and test that synthetic monitors no longer allow direct Playwright object access.📡 Detection & Monitoring
Log Indicators:
- Unusual process spawns from OneUptime probe service
- Suspicious synthetic monitor executions
- Playwright browser launch attempts from non-standard users
Network Indicators:
- Unexpected outbound connections from probe hosts
- Unusual network traffic patterns from monitoring infrastructure
SIEM Query:
source="oneuptime" AND (event="process_spawn" OR event="browser_launch") AND user!="admin"