CVE-2026-32308 Overview
CVE-2026-32308 is a Cross-Site Scripting (XSS) vulnerability in OneUptime, an open-source solution for monitoring and managing online services. The vulnerability exists in the Markdown viewer component, which renders Mermaid diagrams with an insecure securityLevel: "loose" configuration and injects the resulting SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling attackers to execute arbitrary JavaScript through Mermaid's click directive.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of authenticated user sessions, potentially leading to session hijacking, data theft, or unauthorized actions across incident descriptions, status page announcements, and monitor notes.
Affected Products
- Hackerbay OneUptime versions prior to 10.0.23
Discovery Timeline
- 2026-03-13 - CVE CVE-2026-32308 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-32308
Vulnerability Analysis
This vulnerability stems from an insecure configuration in how OneUptime handles Mermaid diagram rendering within its Markdown viewer component. Mermaid is a popular JavaScript library for generating diagrams from text definitions. When configured with securityLevel: "loose", Mermaid permits interactive elements and event bindings within diagrams, which directly contradicts security best practices for user-generated content.
The vulnerability affects any field within OneUptime that renders Markdown content, including incident descriptions, status page announcements, and monitor notes. Since these are commonly used features in monitoring workflows, the attack surface is substantial for organizations relying on OneUptime for their infrastructure monitoring needs.
Root Cause
The root cause is twofold: First, the Mermaid library is initialized with securityLevel: "loose" instead of the recommended securityLevel: "strict" setting. Second, the rendered SVG output is injected into the DOM using innerHTML, which does not sanitize script execution contexts. This combination allows Mermaid's click directive to bind arbitrary JavaScript to diagram elements, bypassing typical XSS protections.
Attack Vector
The attack is network-accessible and requires low privileges (an authenticated user account) to exploit. An attacker can craft a malicious Mermaid diagram definition within any Markdown-enabled field. When another user views the content, the injected JavaScript executes in their browser context. The vulnerability has a changed scope, meaning the impact extends beyond the vulnerable component to affect the user's entire session. The attack results in high confidentiality impact and low integrity impact, with potential for session token theft, credential harvesting, or performing actions on behalf of the victim user.
Exploitation involves crafting a Mermaid diagram with a click directive containing JavaScript code. When a victim views the rendered diagram, the malicious code executes. See the GitHub Security Advisory for technical details on the exploitation mechanism.
Detection Methods for CVE-2026-32308
Indicators of Compromise
- Mermaid diagram definitions containing click directives with JavaScript code patterns such as javascript:, onclick, or inline script functions
- Unusual SVG elements with event handlers embedded in Markdown content fields
- User reports of unexpected browser behavior when viewing incident descriptions or status pages
Detection Strategies
- Implement content security policies (CSP) that restrict inline script execution and log violations
- Monitor Markdown input fields for Mermaid syntax containing suspicious click directive patterns
- Review application logs for unusual rendering errors or JavaScript execution in Markdown contexts
- Deploy web application firewalls with rules to detect XSS payloads in diagram definitions
Monitoring Recommendations
- Enable browser console logging and aggregate client-side errors for anomaly detection
- Configure SentinelOne Singularity to monitor for suspicious script execution patterns in web application processes
- Audit user-submitted content in incident descriptions and status page announcements for malicious payloads
How to Mitigate CVE-2026-32308
Immediate Actions Required
- Upgrade OneUptime to version 10.0.23 or later immediately
- Review existing incident descriptions, status page announcements, and monitor notes for potentially malicious Mermaid diagrams
- Implement Content Security Policy headers to mitigate XSS impact while patching is in progress
- Consider temporarily disabling Mermaid diagram rendering if immediate patching is not possible
Patch Information
The vulnerability is fixed in OneUptime version 10.0.23. Organizations should upgrade to this version or later to remediate the vulnerability. The patch modifies the Mermaid configuration to use a stricter security level and implements proper sanitization of the SVG output. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Configure a Content Security Policy that blocks inline script execution: script-src 'self'
- If using a reverse proxy, implement input filtering to reject Markdown content containing Mermaid click directives
- Restrict Markdown field editing to trusted administrator accounts until the patch is applied
- Consider disabling Mermaid diagram support entirely through configuration if the feature is not critical
# Example CSP header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
