CVE-2026-30921
Published: 10 March 2026
Summary
CVE-2026-30921 is a critical-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the specific flaw in OneUptime prior to version 10.0.20 that enables RCE via custom Playwright code execution.
Mandates process isolation for executing untrusted user-submitted Playwright code on the oneuptime-probe service, preventing access to live host objects like browser that enable arbitrary executable spawning.
Enforces least privilege to restrict low-privileged project users from submitting executable code or limits the probe service execution context, reducing RCE impact.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE in public-facing OneUptime web app via malicious JS/Playwright script submission directly maps to T1190; execution occurs through server-side JavaScript in Node.js vm (T1059.007); low-priv project user to full host/container compromise with scope change maps to T1068.
NVD Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is…
more
run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
Deeper analysisAI
CVE-2026-30921 is a critical remote code execution (RCE) vulnerability in OneUptime, an open-source solution for monitoring and managing online services. It affects versions prior to 10.0.20, specifically the Synthetic Monitors feature, where low-privileged project users can submit custom Playwright code executed on the oneuptime-probe service. This code runs inside Node.js's vm module but receives live host Playwright objects, such as browser and page, bypassing traditional sandbox escapes. Attackers can directly invoke methods like browser.browserType().launch() to spawn arbitrary executables on the probe host or container. The vulnerability is rated 9.9 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-749 (Exposed Dangerous Method or Function).
Low-privileged project users with access to submit custom Playwright scripts for Synthetic Monitors can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious code that leverages the provided Playwright objects, attackers achieve server-side RCE on the oneuptime-probe service, enabling full compromise of the host or container, including high confidentiality, integrity, and availability impacts due to the changed scope.
The vulnerability is fixed in OneUptime version 10.0.20. For full details on the patch and mitigation steps, refer to the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8.
Details
- CWE(s)