CVE-2026-35053
Published: 02 April 2026
Summary
CVE-2026-35053 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring limitation of actions permitted without authentication, preventing unauthenticated access to workflow execution endpoints.
Mandates enforcement mechanisms for access control policies, ensuring authentication middleware blocks unauthorized workflow triggers.
Requires identification and authentication of users or processes before accessing critical functions like workflow execution APIs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability provides unauthenticated remote access to public-facing workflow execution endpoints (T1190), enabling arbitrary JavaScript code execution via attacker-controlled inputs (T1059.007).
NVD Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can…
more
trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.
Deeper analysisAI
CVE-2026-35053 is a critical vulnerability in OneUptime, an open-source monitoring and observability platform, affecting versions prior to 10.0.42. The issue lies in the Worker service's ManualAPI, which exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. Classified under CWE-306 (Missing Authentication for Critical Function), it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete confidentiality, integrity, and availability impacts.
Any remote attacker who can obtain or guess a valid workflow ID can exploit these unauthenticated endpoints to trigger arbitrary workflow execution with attacker-controlled input data. Successful exploitation enables JavaScript code execution, abuse of notification mechanisms, and manipulation of data within the platform, potentially leading to full compromise depending on the workflows configured.
The vulnerability has been patched in OneUptime version 10.0.42. Mitigation details are available in the GitHub release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42 and the security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6c3w-7xg4-4cf7.
Details
- CWE(s)