Custom JavaScript Execution Flaw in OneUptime Monitoring Solution
CVE-2026-27574

10CRITICAL

Key Information:

Vendor: Oneuptime
Status: Oneuptime
Vendor: CVE Published:; 21 February 2026

What is CVE-2026-27574?

The OneUptime monitoring solution is vulnerable due to a flaw in its custom JavaScript monitor feature, which improperly uses the Node.js's node:vm module for code execution. This creates a serious security risk, allowing attackers to escape the sandbox environment trivially and gain full control over the underlying process. The probe runs on host networking and exposes sensitive environment variables containing crucial cluster credentials, such as ONEUPTIME_SECRET and various database passwords. Additionally, the monitor creation feature is accessible to users with the lowest privileges, including anonymous visitors, potentially allowing them to compromise the entire cluster within a matter of seconds. This vulnerability has been resolved in version 10.0.5 of OneUptime.

Affected Version(s)

oneuptime < 10.0.5

References

https://github.com/OneUptime/oneuptime/security/advisorie...

x_refsource_CONFIRM

https://github.com/OneUptime/oneuptime/commit/7f9ed4d4394...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 21, 2026
Vulnerability Reserved
Feb 20, 2026

CVE-2026-27574 Data

JSON

Oneuptime

What is CVE-2026-27574?

Affected Version(s)

References

CVSS V3.1

Timeline