Cyber Resilience

CVE-2026-35053

CriticalPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0055 41.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-35053 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-35053 is a critical vulnerability in OneUptime, an open-source monitoring and observability platform, affecting versions prior to 10.0.42. The issue lies in the Worker service's ManualAPI, which exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. Classified under CWE-306 (Missing Authentication for Critical Function), it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete confidentiality, integrity, and availability impacts.

Any remote attacker who can obtain or guess a valid workflow ID can exploit these unauthenticated endpoints to trigger arbitrary workflow execution with attacker-controlled input data. Successful exploitation enables JavaScript code execution, abuse of notification mechanisms, and manipulation of data within the platform, potentially leading to full compromise depending on the workflows configured.

The vulnerability has been patched in OneUptime version 10.0.42. Mitigation details are available in the GitHub release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42 and the security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6c3w-7xg4-4cf7.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can…

more

trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The vulnerability provides unauthenticated remote access to public-facing workflow execution endpoints (T1190), enabling arbitrary JavaScript code execution via attacker-controlled inputs (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34758Same product: Hackerbay Oneuptime
CVE-2026-30921Same product: Hackerbay Oneuptime
CVE-2026-27574Same product: Hackerbay Oneuptime
CVE-2026-32308Same product: Hackerbay Oneuptime
CVE-2026-34840Same product: Hackerbay Oneuptime
CVE-2026-33142Same product: Hackerbay Oneuptime
CVE-2026-34759Same product: Hackerbay Oneuptime
CVE-2026-30958Same product: Hackerbay Oneuptime
CVE-2026-33396Same product: Hackerbay Oneuptime
CVE-2026-32306Same product: Hackerbay Oneuptime

Affected Assets

hackerbay
oneuptime
≤ 10.0.42

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring limitation of actions permitted without authentication, preventing unauthenticated access to workflow execution endpoints.

prevent

Mandates enforcement mechanisms for access control policies, ensuring authentication middleware blocks unauthorized workflow triggers.

prevent

Requires identification and authentication of users or processes before accessing critical functions like workflow execution APIs.

References