CVE-2026-27574 Overview
OneUptime is a solution for monitoring and managing online services. A critical sandbox escape vulnerability exists in versions 9.5.13 and below where the custom JavaScript monitor feature uses Node.js's node:vm module to execute user-supplied code. Since the node:vm module is explicitly documented as not being a security mechanism, attackers can trivially escape the sandbox using well-known techniques to gain full access to the underlying process.
The severity of this vulnerability is compounded by the fact that the probe runs with host networking and holds all cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) in its environment variables. Additionally, monitor creation is available to the lowest role (ProjectMember) with open registration enabled by default, allowing any anonymous user to achieve full cluster compromise in approximately 30 seconds.
Critical Impact
Unauthenticated attackers can achieve complete cluster compromise by exploiting the Node.js VM sandbox escape to access all stored credentials and gain full control over the OneUptime infrastructure.
Affected Products
- Hackerbay OneUptime versions 9.5.13 and below
- OneUptime instances with open registration enabled (default configuration)
- Deployments running probes with host networking and exposed cluster credentials
Discovery Timeline
- 2026-02-21 - CVE CVE-2026-27574 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2026-27574
Vulnerability Analysis
This vulnerability (CWE-94: Improper Control of Generation of Code) stems from the misuse of Node.js's node:vm module for executing user-supplied JavaScript code in the custom monitor feature. The node:vm module creates V8 virtual machine contexts that can run arbitrary JavaScript code, but as explicitly stated in Node.js documentation, this module is not a security mechanism and should never be used to execute untrusted code.
The vulnerability allows attackers with the ProjectMember role (the lowest permission level) to create custom JavaScript monitors containing malicious code that escapes the VM sandbox. Once escaped, the attacker's code runs with full privileges in the probe process, which has access to sensitive cluster credentials stored in environment variables.
Root Cause
The root cause of this vulnerability is the inappropriate use of Node.js's node:vm module as a security boundary for executing user-supplied code. The node:vm module is designed for creating isolated contexts but explicitly does not provide security isolation. Well-known sandbox escape techniques exist that leverage the connection between VM contexts and the host environment through prototype chains and constructor references.
The security posture is further weakened by the probe's architecture: it runs with host networking access and stores critical cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) as environment variables, making them immediately accessible to any code achieving sandbox escape.
Attack Vector
The attack is network-based and requires only low privileges (ProjectMember role), which can be obtained through open registration (enabled by default). An attacker registers for an account, creates a custom JavaScript monitor with sandbox escape payload, and the malicious code executes in the probe context with full access to environment variables containing all cluster credentials.
The following patches demonstrate the security fix that introduces a separate REGISTER_PROBE_KEY to isolate probe registration and refactors the SyntheticMonitor to use child processes for safer script execution:
export const HasClusterKey: boolean = Boolean(process.env["ONEUPTIME_SECRET"]);
+export const RegisterProbeKey: ObjectID = new ObjectID(
+ process.env["REGISTER_PROBE_KEY"] || "secret",
+);
+
+export const HasRegisterProbeKey: boolean = Boolean(
+ process.env["REGISTER_PROBE_KEY"],
+);
+
export const AppApiHostname: Hostname = Hostname.fromString(
`${process.env["SERVER_APP_HOSTNAME"] || "localhost"}:${
process.env["APP_PORT"] || 80
Source: GitHub Commit Details
The Helm chart was also updated to support the new probe registration key:
{{- end }}
{{- end }}
+{{- define "oneuptime.env.registerProbeKey" }}
+- name: REGISTER_PROBE_KEY
+ {{- if $.Values.registerProbeKey }}
+ value: {{ $.Values.registerProbeKey }}
+ {{- else }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $.Release.Name "secrets" }}
+ key: register-probe-key
+ {{- end }}
+{{- end }}
+
{{- define "oneuptime.env.runtime" }}
- name: VAPID_PRIVATE_KEY
Source: GitHub Commit Details
Detection Methods for CVE-2026-27574
Indicators of Compromise
- Unusual custom JavaScript monitors created by recently registered accounts
- Monitor scripts containing references to process.env, require, or constructor chain manipulation
- Unexpected access to environment variables or system resources from probe processes
- Network connections originating from probe containers to external destinations
Detection Strategies
- Monitor OneUptime logs for custom JavaScript monitor creation events, especially from new or low-privilege accounts
- Implement behavioral analysis on probe processes to detect unexpected system calls or network activity
- Review authentication logs for mass account registrations that may indicate preparation for exploitation
- Audit existing custom monitors for suspicious JavaScript code patterns indicative of sandbox escape attempts
Monitoring Recommendations
- Enable verbose logging for monitor creation and execution events
- Implement network segmentation to isolate probe containers and restrict outbound connections
- Configure alerting for any access attempts to sensitive environment variables
- Deploy runtime security monitoring (such as SentinelOne Singularity) on probe hosts to detect process anomalies
How to Mitigate CVE-2026-27574
Immediate Actions Required
- Upgrade OneUptime to version 10.0.5 or later immediately
- Disable open registration until patched if upgrade is not immediately possible
- Rotate all cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD)
- Audit existing custom JavaScript monitors for malicious code
- Review recent account registrations and monitor creation activity for suspicious patterns
Patch Information
The vulnerability has been fixed in OneUptime version 10.0.5. The fix refactors the SyntheticMonitor implementation to use child processes for script execution instead of the insecure node:vm module. Additionally, a new REGISTER_PROBE_KEY environment variable has been introduced to provide better isolation of probe registration credentials.
For detailed patch information, refer to the GitHub Security Advisory and the commit implementing the fix.
Workarounds
- Disable the custom JavaScript monitor feature entirely until patched
- Disable open registration to prevent unauthorized users from creating accounts
- Restrict the ProjectMember role from creating custom monitors
- Implement network policies to prevent probe containers from making outbound connections to untrusted destinations
# Configuration example: Disable open registration in OneUptime
# Set this environment variable to disable new user registration
DISABLE_SIGNUP=true
# Rotate credentials after patching
# Generate new secure passwords for all cluster services
openssl rand -base64 32 # Use output for ONEUPTIME_SECRET
openssl rand -base64 32 # Use output for DATABASE_PASSWORD
openssl rand -base64 32 # Use output for REDIS_PASSWORD
openssl rand -base64 32 # Use output for CLICKHOUSE_PASSWORD
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
