CVE-2026-30921 Overview
CVE-2026-30921 is a critical Remote Code Execution (RCE) vulnerability in OneUptime, an open-source solution for monitoring and managing online services. The vulnerability exists in the Synthetic Monitors feature, where low-privileged project users can submit custom Playwright code that executes on the oneuptime-probe service. The implementation flaw allows attackers to leverage injected Playwright browser objects to spawn arbitrary executables on the probe host or container, bypassing traditional sandbox escape techniques.
Critical Impact
Low-privileged users can achieve remote code execution on the probe host by exploiting live Playwright browser objects, potentially leading to full system compromise, lateral movement, and data exfiltration.
Affected Products
- Hackerbay OneUptime versions prior to 10.0.20
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30921 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-30921
Vulnerability Analysis
The vulnerability stems from a fundamental design flaw in how OneUptime handles untrusted user-submitted code within its Synthetic Monitors feature. The application allows project users to submit custom Playwright automation scripts, which are intended for monitoring web services and performing synthetic testing.
The core issue lies in the execution environment: untrusted code runs inside Node.js's vm module and is provided with live host Playwright objects, specifically the browser and page instances. While the vm module provides basic sandboxing, the presence of these live objects creates a distinct attack vector that doesn't require traditional sandbox escape techniques like the this.constructor.constructor(...) pattern.
An attacker with low-level project access can directly manipulate the injected browser object to call browser.browserType().launch(...) with attacker-controlled arguments, effectively spawning arbitrary executables on the underlying probe host or container. This represents a complete bypass of the intended execution constraints.
Root Cause
The root cause is categorized under CWE-749: Exposed Dangerous Method or Function. The application exposes powerful Playwright browser automation objects to untrusted user code without proper restrictions. By providing access to browser.browserType().launch(), the application inadvertently grants users the ability to execute arbitrary system commands, as this method can be used to spawn processes with user-controlled executable paths and arguments.
Attack Vector
The attack can be executed remotely over the network by any authenticated user with low-level project privileges. The attacker submits malicious Playwright code through the Synthetic Monitors interface. Since the vulnerability exists in the oneuptime-probe service, successful exploitation grants code execution within the probe's execution context, which may be a container or host system depending on deployment configuration.
The attacker does not need to escape the Node.js vm sandbox using conventional techniques. Instead, they leverage the legitimately provided Playwright objects to invoke system-level operations, making this a novel and particularly dangerous attack primitive.
Detection Methods for CVE-2026-30921
Indicators of Compromise
- Unusual process spawning from the oneuptime-probe service or container
- Synthetic Monitor scripts containing calls to browserType().launch() with non-standard executable paths
- Unexpected outbound network connections originating from probe infrastructure
- Anomalous file system activity within probe containers or hosts
Detection Strategies
- Monitor Synthetic Monitor script submissions for suspicious Playwright API calls, particularly browserType().launch() with arbitrary arguments
- Implement behavioral analysis to detect process execution patterns inconsistent with normal Playwright browser automation
- Deploy endpoint detection and response (EDR) solutions to identify unauthorized process creation within probe infrastructure
- Review application logs for unusual Synthetic Monitor execution patterns or errors
Monitoring Recommendations
- Enable detailed logging for all Synthetic Monitor script submissions and executions
- Implement real-time alerting for process spawning events from probe services
- Deploy network segmentation monitoring to detect lateral movement attempts from compromised probe infrastructure
- Establish baseline behavior for probe containers and alert on deviations
How to Mitigate CVE-2026-30921
Immediate Actions Required
- Upgrade OneUptime to version 10.0.20 or later immediately
- Audit all existing Synthetic Monitor scripts for potentially malicious content
- Review access logs to identify any suspicious script submissions prior to patching
- Implement network isolation for probe infrastructure as a temporary containment measure
Patch Information
The vulnerability has been fixed in OneUptime version 10.0.20. Organizations should upgrade to this version or later to remediate the vulnerability. Detailed information about the fix is available in the GitHub Security Advisory.
Workarounds
- Restrict Synthetic Monitor creation privileges to only highly trusted administrative users until patching is complete
- Implement additional network segmentation to isolate probe infrastructure from sensitive systems
- Deploy application-level filtering to block Synthetic Monitor scripts containing dangerous Playwright API patterns
- Consider temporarily disabling the Synthetic Monitors feature if not critical to operations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
