CVE-2026-30958
Published: 10 March 2026
Summary
CVE-2026-30958 is a high-severity Path Traversal (CWE-22) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the path traversal vulnerability by requiring validation and sanitization of the unsanitized componentName parameter before file path construction.
Enforces logical access controls to prevent unauthorized reading of arbitrary server filesystem files via the vulnerable endpoint.
Requires identification and authentication for non-organizational users, blocking unauthenticated remote exploitation of the path traversal endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated path traversal in public-facing web endpoint (T1190: Exploit Public-Facing Application) enables arbitrary file reads from the local filesystem (T1005: Data from Local System).
NVD Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path…
more
passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.
Deeper analysisAI
CVE-2026-30958 is an unauthenticated path traversal vulnerability (CWE-22) in OneUptime, a solution for monitoring and managing online services. Versions prior to 10.0.21 are affected, specifically the /workflow/docs/:componentName endpoint. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts without sanitization or authentication middleware, allowing attackers to read arbitrary files from the server filesystem.
Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Successful exploitation enables reading of arbitrary files, resulting in low confidentiality and integrity impacts but no availability impact. The CVSS v3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting high severity due to the changed scope.
The vulnerability is fixed in OneUptime version 10.0.21. Mitigation details are available in the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p2wh-9pw8-hvff and the release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.21.
Details
- CWE(s)