CVE-2026-35053 Overview
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.
Critical Impact
Unauthenticated attackers can remotely trigger arbitrary workflow execution with attacker-controlled input, leading to JavaScript code execution, notification abuse, and data manipulation within the monitoring platform.
Affected Products
- OneUptime versions prior to 10.0.42
- OneUptime Worker service with ManualAPI endpoints exposed
- Organizations using OneUptime's workflow automation features
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-35053 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-35053
Vulnerability Analysis
This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The OneUptime Worker service exposes two critical workflow execution endpoints via the ManualAPI without implementing any authentication middleware. The affected endpoints allow both GET and POST requests to the /workflow/manual/run/:workflowId path, enabling any network-accessible attacker to trigger workflow executions.
The absence of authentication on these endpoints creates a significant attack surface. Since workflows in OneUptime can execute JavaScript code, send notifications, and manipulate data within the platform, an attacker gaining access to these endpoints can achieve substantial impact on the confidentiality, integrity, and availability of the monitored infrastructure.
Root Cause
The root cause of this vulnerability is the missing authentication middleware on the ManualAPI's workflow execution endpoints within the Worker service. The developers failed to implement proper access controls on these sensitive endpoints, allowing unauthenticated requests to reach the workflow execution logic. This represents a fundamental architectural oversight where critical functionality was exposed without corresponding security controls.
Attack Vector
The attack vector is network-based and requires no user interaction or prior authentication. An attacker must either obtain or guess a valid workflow ID to exploit this vulnerability. Once a valid workflow ID is identified, the attacker can:
- Send HTTP GET or POST requests to /workflow/manual/run/:workflowId
- Include attacker-controlled input data in the request payload
- Trigger arbitrary workflow execution that may include JavaScript code execution
- Abuse notification systems configured within workflows
- Manipulate data accessible through the workflow context
The exploitation complexity is reduced by the network-accessible nature of the endpoints and the lack of any authentication requirements. Workflow IDs may be discoverable through various means including API enumeration, information disclosure in logs, or social engineering.
Detection Methods for CVE-2026-35053
Indicators of Compromise
- Unusual HTTP requests to /workflow/manual/run/ endpoints from unexpected IP addresses
- Unexpected workflow executions appearing in OneUptime logs without corresponding user activity
- Anomalous notification activity triggered by workflows that were not manually initiated by authorized users
Detection Strategies
- Monitor access logs for requests to /workflow/manual/run/:workflowId endpoints from unauthorized sources
- Implement network-level detection rules for unauthenticated API calls to the Worker service
- Review workflow execution audit logs for executions occurring outside normal operational patterns
Monitoring Recommendations
- Enable detailed logging on the OneUptime Worker service to capture all API requests
- Configure alerting for workflow executions that do not correspond to authenticated user sessions
- Implement rate limiting and anomaly detection on workflow execution endpoints
How to Mitigate CVE-2026-35053
Immediate Actions Required
- Upgrade OneUptime to version 10.0.42 or later immediately
- Restrict network access to the Worker service's ManualAPI endpoints using firewall rules or network segmentation
- Audit workflow execution logs for any unauthorized executions prior to patching
Patch Information
The vulnerability has been addressed in OneUptime version 10.0.42. The patch adds authentication middleware to the affected workflow execution endpoints, ensuring that only authorized users can trigger workflow executions. Organizations should upgrade to this version or later to remediate the vulnerability.
For detailed information about the security fix, refer to the OneUptime Release 10.0.42 and the GitHub Security Advisory GHSA-6c3w-7xg4-4cf7.
Workarounds
- Implement network-level access controls to restrict access to the Worker service API to trusted internal networks only
- Deploy a reverse proxy with authentication in front of the Worker service to enforce access controls
- Disable or restrict the ManualAPI workflow execution functionality if not required for operations until patching is possible
# Example: Network-level restriction using iptables
# Restrict access to Worker service port (adjust port number as needed)
iptables -A INPUT -p tcp --dport 3000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
