PT-2026-29883 · Oneuptime · Oneuptime
N0Rv-Tvt
·
Published
2026-04-02
·
Updated
2026-04-14
·
CVE-2026-35053
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OneUptime versions prior to 10.0.42
Description
The OneUptime platform's Worker service ManualAPI exposes workflow execution endpoints without authentication. Specifically, the GET and POST endpoints
/workflow/manual/run/:workflowId are vulnerable. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data. This can lead to JavaScript code execution, notification abuse, and data manipulation.Recommendations
Update to version 10.0.42 or later.
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Oneuptime