CVE-2026-45102 Overview
CVE-2026-45102 is a sandbox escape vulnerability in OneUptime, an open-source monitoring and observability platform. The flaw exists in versions prior to 10.0.98 and stems from the misuse of the Node.js vm module as a security isolation primitive. The Node.js vm module was not designed for sandboxing untrusted code and can be escaped through crafted error objects and infinite recursion patterns. Successful exploitation allows an authenticated attacker to break out of the intended execution context and execute arbitrary code in the host process. The issue is tracked under [CWE-693] (Protection Mechanism Failure) and is fixed in OneUptime 10.0.98.
Critical Impact
An authenticated attacker can escape the Node.js vm sandbox in OneUptime, achieving code execution with scope change that compromises confidentiality, integrity, and availability of the host platform.
Affected Products
- OneUptime versions prior to 10.0.98
- Self-hosted OneUptime monitoring and observability deployments
- Any OneUptime workflow or probe executing user-supplied JavaScript through the vm module
Discovery Timeline
- 2026-05-27 - CVE-2026-45102 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45102
Vulnerability Analysis
OneUptime relied on the Node.js built-in vm module to isolate untrusted JavaScript executed by monitoring workflows and custom probe logic. The vm module provides context separation, not a security boundary. Node.js maintainers have repeatedly stated that vm should not be used to run untrusted code. Attackers with permission to submit JavaScript to OneUptime can craft payloads that reference objects belonging to the outer realm and pivot to the host context. The vulnerability is classified as a Protection Mechanism Failure [CWE-693] because the chosen isolation primitive does not enforce the security boundary the application assumed.
Root Cause
The root cause is the architectural use of Node.js vm.runInContext-style APIs as a trust boundary. When code inside the sandboxed context throws an error or triggers uncaught exceptions in host callbacks, the resulting error object carries a prototype chain that resolves to constructors in the outer realm. By walking error.constructor.constructor, an attacker reaches the host Function constructor and instantiates arbitrary code outside the sandbox. Infinite recursion patterns provide an additional escape path by forcing stack overflow errors whose handlers leak host-realm references.
Attack Vector
Exploitation requires network access to a OneUptime instance and low-privilege authenticated access sufficient to submit JavaScript to a monitor, workflow, or probe component. The attacker submits a payload that obtains a reference to a host-realm constructor through an error object or recursion-induced exception. The payload then constructs and invokes a function in the host context, executing arbitrary Node.js code with the privileges of the OneUptime worker process. Because the scope changes from the sandboxed context to the host, the attacker can read secrets, alter monitoring data, and disrupt service availability. No specific exploit code is referenced in the public advisory; details are described in prose in the GitHub Security Advisory.
Detection Methods for CVE-2026-45102
Indicators of Compromise
- Unexpected child processes spawned by the OneUptime Node.js worker, such as sh, bash, curl, or wget.
- Outbound network connections from OneUptime worker containers to addresses not associated with monitored targets.
- Workflow or probe definitions containing references to constructor.constructor, process.mainModule, or require('child_process').
Detection Strategies
- Inspect OneUptime workflow and probe scripts for patterns that traverse prototype chains via error.constructor or that intentionally trigger stack overflows.
- Correlate authentication logs against subsequent workflow modifications to identify low-privilege accounts pushing JavaScript payloads.
- Monitor process-tree telemetry on hosts running OneUptime for the Node.js process spawning unexpected children.
Monitoring Recommendations
- Enable verbose audit logging for workflow, monitor, and probe creation or update events in OneUptime.
- Alert on file system writes by the OneUptime worker outside its expected working directories.
- Track egress traffic from OneUptime worker pods and flag connections to non-monitored destinations.
How to Mitigate CVE-2026-45102
Immediate Actions Required
- Upgrade all OneUptime instances to version 10.0.98 or later without delay.
- Audit existing workflows, monitors, and probes for malicious or unfamiliar JavaScript added before the patch was applied.
- Rotate API keys, integration tokens, and secrets accessible to the OneUptime worker process.
Patch Information
The vulnerability is fixed in OneUptime 10.0.98. Refer to the OneUptime GitHub Security Advisory GHSA-g9cp-35m2-fjv6 for the official patch reference and remediation guidance.
Workarounds
- Restrict permissions to create or modify workflows, monitors, and probes to trusted administrators only.
- Isolate OneUptime worker processes in dedicated containers with minimal filesystem and network privileges until the upgrade is complete.
- Block outbound network access from OneUptime worker containers to any destination not required for monitoring.
# Upgrade OneUptime to the patched release
git fetch --tags
git checkout release/10.0.98
docker compose pull
docker compose up -d
# Verify running version
docker compose exec app node -e "console.log(require('./package.json').version)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
