CVE-2026-27728 Overview
OneUptime is a solution for monitoring and managing online services. A critical OS command injection vulnerability exists in the NetworkPathMonitor.performTraceroute() function that allows any authenticated project user to execute arbitrary operating system commands on the Probe server. The vulnerability is exploited by injecting shell metacharacters into a monitor's destination field. This flaw affects versions prior to 10.0.7 and has been addressed in the security patch released in version 10.0.7.
Critical Impact
Authenticated users can achieve full remote code execution on the Probe server through shell metacharacter injection, potentially leading to complete server compromise, data exfiltration, or lateral movement within the infrastructure.
Affected Products
- OneUptime versions prior to 10.0.7
- OneUptime Probe Server component
- NetworkPathMonitor.performTraceroute() function
Discovery Timeline
- 2026-02-25 - CVE CVE-2026-27728 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27728
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The vulnerable code path exists within the NetworkPathMonitor.performTraceroute() function, which is responsible for executing network traceroute operations. The function accepts user-controlled input (the destination field from a monitor configuration) and passes it directly to a shell command execution context without proper sanitization or validation.
The flaw allows authenticated project users—who may have limited permissions within the OneUptime platform—to escalate their access to full operating system command execution on the underlying Probe server. This represents a significant privilege escalation vector, as the intended functionality only permits users to configure monitoring endpoints, not execute arbitrary system commands.
Root Cause
The root cause of this vulnerability is the use of the exec() function from Node.js's child_process module to spawn shell commands with unsanitized user input. The exec() function spawns a shell and executes the command within that shell, which interprets shell metacharacters (such as ;, |, &, $(), and backticks) present in the destination field. This allows an attacker to break out of the intended traceroute command context and inject additional commands for execution.
Attack Vector
The attack is network-based and requires low-privilege authentication as a project user within OneUptime. An attacker can craft a malicious monitor configuration with a destination field containing shell metacharacters followed by arbitrary commands. When the Probe server processes this monitor and executes the traceroute operation, the injected commands are executed with the privileges of the Probe server process.
For example, a destination field containing example.com; cat /etc/passwd or $(malicious_command) would result in command execution beyond the intended traceroute operation.
// Security patch showing the fix from exec() to execFile()
// Source: https://github.com/OneUptime/oneuptime/commit/f2cce35a04fac756cecc7a4c55e23758b99288c1
} from "Common/Types/Monitor/NetworkMonitor/NetworkPathTrace";
import dns from "dns";
import { promisify } from "util";
-import { exec } from "child_process";
+import { execFile } from "child_process";
-const execAsync: (
- command: string,
-) => Promise<{ stdout: string; stderr: string }> = promisify(exec);
+const execFileAsync: (
+ file: string,
+ args: string[],
+) => Promise<{ stdout: string; stderr: string }> = promisify(execFile);
const dnsResolve: (hostname: string) => Promise<string[]> = promisify(
dns.resolve,
);
The fix replaces the vulnerable exec() function with execFile(), which does not spawn a shell and instead executes the file directly with arguments passed as an array. This prevents shell metacharacter interpretation and eliminates the command injection vector.
Detection Methods for CVE-2026-27728
Indicators of Compromise
- Unusual monitor destination field values containing shell metacharacters (;, |, &, $(), backticks)
- Unexpected process spawning from the Probe server process
- Anomalous network connections or reverse shells originating from Probe servers
- Unauthorized file system access or modifications on Probe server hosts
Detection Strategies
- Monitor audit logs for monitor configuration changes with suspicious destination values containing special characters
- Implement network detection rules for outbound connections from Probe servers to unexpected destinations
- Deploy endpoint detection to identify child processes spawned by the OneUptime Probe process that deviate from expected behavior (traceroute, ping, etc.)
Monitoring Recommendations
- Enable verbose logging on Probe servers and centralize log collection for security analysis
- Implement file integrity monitoring on Probe server hosts to detect unauthorized changes
- Configure alerting for command execution anomalies using SentinelOne's behavioral AI detection capabilities
How to Mitigate CVE-2026-27728
Immediate Actions Required
- Upgrade OneUptime to version 10.0.7 or later immediately
- Audit existing monitor configurations for any suspicious destination field values
- Review Probe server logs for signs of exploitation
- Isolate Probe servers if immediate patching is not possible
Patch Information
OneUptime has released version 10.0.7 which addresses this vulnerability by replacing the vulnerable exec() function with execFile() and implementing destination validation. The security fix is available in commit f2cce35a04fac756cecc7a4c55e23758b99288c1. Organizations should update to this version or later as soon as possible.
For additional details, refer to the GitHub Security Advisory GHSA-jmhp-5558-qxh5 and the security patch commit.
Workarounds
- Restrict network access to Probe servers to limit potential attack surface
- Implement strict input validation at the application level for monitor destination fields
- Apply network segmentation to isolate Probe servers from critical infrastructure
- Limit project user permissions to only trusted individuals until patching is complete
# Example: Update OneUptime to patched version
docker pull oneuptime/oneuptime:10.0.7
docker-compose down && docker-compose up -d
# Verify the installed version
docker exec oneuptime-app cat package.json | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
