Path Traversal Vulnerability in OneUptime Up to Version 10.0.20
CVE-2026-30958

7.2HIGH

Key Information:

Vendor: Oneuptime
Status: Oneuptime
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-30958?

OneUptime, a solution for monitoring and managing online services, contains a vulnerability that allows unauthenticated users to exploit the /workflow/docs/:componentName endpoint. This flaw enables attackers to read sensitive files from the server filesystem without proper sanitization or authentication controls. The vulnerability is present in versions prior to 10.0.21 and poses a significant risk to the confidentiality of information stored on the server. The issue has been remedied in version 10.0.21.

Affected Version(s)

oneuptime < 10.0.21

References

https://github.com/OneUptime/oneuptime/security/advisorie...

x_refsource_CONFIRM

https://github.com/OneUptime/oneuptime/releases/tag/10.0.21

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 7, 2026

CVE-2026-30958 Data

JSON

Oneuptime

What is CVE-2026-30958?

Affected Version(s)

References

CVSS V3.1

Timeline