Cyber Resilience

CVE-2026-30958

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0046 36.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30958 is a high-severity Path Traversal (CWE-22) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-30958 is an unauthenticated path traversal vulnerability (CWE-22) in OneUptime, a solution for monitoring and managing online services. Versions prior to 10.0.21 are affected, specifically the /workflow/docs/:componentName endpoint. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts without sanitization or authentication middleware, allowing attackers to read arbitrary files from the server filesystem.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Successful exploitation enables reading of arbitrary files, resulting in low confidentiality and integrity impacts but no availability impact. The CVSS v3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting high severity due to the changed scope.

The vulnerability is fixed in OneUptime version 10.0.21. Mitigation details are available in the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p2wh-9pw8-hvff and the release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.21.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path…

more

passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Unauthenticated path traversal in public-facing web endpoint (T1190: Exploit Public-Facing Application) enables arbitrary file reads from the local filesystem (T1005: Data from Local System).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34840Same product: Hackerbay Oneuptime
CVE-2026-33142Same product: Hackerbay Oneuptime
CVE-2026-34759Same product: Hackerbay Oneuptime
CVE-2026-33396Same product: Hackerbay Oneuptime
CVE-2026-32306Same product: Hackerbay Oneuptime
CVE-2026-27728Same product: Hackerbay Oneuptime
CVE-2026-33143Same product: Hackerbay Oneuptime
CVE-2026-35053Same product: Hackerbay Oneuptime
CVE-2026-28787Same product: Hackerbay Oneuptime
CVE-2026-30921Same product: Hackerbay Oneuptime

Affected Assets

hackerbay
oneuptime
≤ 10.0.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring validation and sanitization of the unsanitized componentName parameter before file path construction.

prevent

Enforces logical access controls to prevent unauthorized reading of arbitrary server filesystem files via the vulnerable endpoint.

prevent

Requires identification and authentication for non-organizational users, blocking unauthenticated remote exploitation of the path traversal endpoint.

References