CVE-2026-27574
Published: 21 February 2026
Summary
CVE-2026-27574 is a critical-severity Code Injection (CWE-94) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw in the node:vm module's insecure execution of user-supplied JavaScript by requiring timely patching to version 10.0.5 or later.
Prohibits or disables the unnecessary custom JavaScript monitor feature, eliminating the vector for untrusted code execution.
Limits the probe process to least privilege by avoiding storage of cluster credentials in environment variables, reducing compromise impact from sandbox escape.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a public-facing web app with a Node.js vm sandbox escape (CWE-94) that directly enables remote code execution via attacker-supplied JavaScript (T1190 + T1059.007) from a low-privileged account, resulting in scope-changing privilege escalation to full cluster compromise via exposed credentials (T1068).
NVD Description
OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape via a…
more
well-known one-liner that grants full access to the underlying process. Because the probe runs with host networking and holds all cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) in its environment variables, and monitor creation is available to the lowest role (ProjectMember) with open registration enabled by default, any anonymous user can achieve full cluster compromise in about 30 seconds. This issue has been fixed in version 10.0.5.
Deeper analysisAI
CVE-2026-27574 affects OneUptime, an open-source solution for monitoring and managing online services, specifically in versions 9.5.13 and below. The vulnerability resides in the custom JavaScript monitor feature, which relies on Node.js's node:vm module—explicitly documented as not intended for security—to execute user-supplied code. This design flaw enables a trivial sandbox escape using a well-known one-liner, granting attackers full access to the underlying probe process.
Any anonymous user can exploit this vulnerability due to OneUptime's default open registration, which allows creation of monitors at the lowest ProjectMember role with low privileges required (PR:L). By supplying malicious JavaScript during monitor creation, attackers can escape the sandbox in seconds. The probe process runs with host networking privileges and exposes all cluster credentials—including ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, and CLICKHOUSE_PASSWORD—in environment variables, enabling full cluster compromise with confidentiality, integrity, and availability impacts (CVSS 9.9: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H; CWE-94).
The OneUptime security advisory (GHSA-v264-xqh4-9xmm) and corresponding fix in commit 7f9ed4d43945574702a26b7c206e38cc344fe427 confirm the issue was resolved in version 10.0.5. Security practitioners should upgrade to 10.0.5 or later and review configurations to disable open registration where possible.
Details
- CWE(s)