CVE-2026-33396

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse `page.context().browser()._browserType.launchServer(...)` and spawn arbitrary processes. Version 10.0.35 contains a patch.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/OneUptime/oneuptime/commit/e8e4ee3ff0740eb131045ab3d67453141c46178a	Patch
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg	Exploit Vendor Advisory
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-26 14:16

Updated : 2026-03-26 20:40

NVD link : CVE-2026-33396

Mitre link : CVE-2026-33396

CVE.ORG link : CVE-2026-33396

JSON object : View

Products Affected

hackerbay

oneuptime

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-184

Incomplete List of Disallowed Inputs

CWE-693

Protection Mechanism Failure

{"id": "CVE-2026-33396", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2026-03-26T14:16:13.310", "references": [{"url": "https://github.com/OneUptime/oneuptime/commit/e8e4ee3ff0740eb131045ab3d67453141c46178a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-693"}]}], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse `page.context().browser()._browserType.launchServer(...)` and spawn arbitrary processes. Version 10.0.35 contains a patch."}, {"lang": "es", "value": "OneUptime es una plataforma de monitoreo y observabilidad de c\u00f3digo abierto. Antes de la versi\u00f3n 10.0.35, un usuario autenticado con bajos privilegios (ProjectMember) puede lograr la ejecuci\u00f3n remota de comandos en el contenedor/host de Probe abusando de la ejecuci\u00f3n de scripts de Playwright del Monitor Sint\u00e9tico. El c\u00f3digo del monitor sint\u00e9tico se ejecuta en VMRunner.runCodeInNodeVM con un objeto de p\u00e1gina de Playwright en vivo en contexto. El sandbox se basa en una lista de denegaci\u00f3n de propiedades/m\u00e9todos bloqueados, pero est\u00e1 incompleta. Espec\u00edficamente, _browserType y launchServer no est\u00e1n bloqueados, por lo que el c\u00f3digo del atacante puede recorrer 'page.context().browser()._browserType.launchServer(...)' y generar procesos arbitrarios. La versi\u00f3n 10.0.35 contiene un parche."}], "lastModified": "2026-03-26T20:40:52.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE6EDDCA-31EC-4458-ACF2-9FA51FAE4FAE", "versionEndExcluding": "10.0.35"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}