CVE-2026-27574

Name of the Vulnerable Software and Affected Versions OneUptime versions 9.5.13 and below

Description OneUptime is a solution for monitoring and managing online services. The custom JavaScript monitor feature utilizes Node.js's node:vm module, which is explicitly documented as not being a security mechanism, to execute user-supplied code. This allows for a trivial sandbox escape via a one-liner, granting full access to the underlying process. The probe operates with host networking and contains sensitive cluster credentials, including ONEUPTIME SECRET, DATABASE PASSWORD, REDIS PASSWORD, and CLICKHOUSE PASSWORD, within its environment variables. Monitor creation is accessible to the lowest role (ProjectMember) with open registration enabled by default, enabling any anonymous user to potentially achieve full cluster compromise in approximately 30 seconds.

Recommendations Update to version 10.0.5 or later.