CVE-2026-30958

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.21

Description OneUptime is a solution for monitoring and managing online services. A path traversal issue exists in the /workflow/docs/:componentName API endpoint, allowing unauthenticated reading of arbitrary files from the server filesystem. The componentName route parameter is directly concatenated into a file path and passed to the res.sendFile() function within the orker/FeatureSet/Workflow/Index.ts file without any sanitization or authentication checks.

Recommendations Update to version 10.0.21 or later.