Scan free
CRITICALCVE-2026-33396CVSS 10

CVE-2026-33396: RCE in OneUptime Monitoring Platform

Platform

nodejs

Component

oneuptime

Fixed in

10.0.36

AI Confidence: highNVDEPSS 0.8%Reviewed: May 2026
View on NVD
Save

CVE-2026-33396 is a critical remote command execution (RCE) vulnerability affecting OneUptime, an open-source monitoring and observability platform. This vulnerability allows a low-privileged authenticated user (ProjectMember) to execute arbitrary commands on the Probe container/host. The issue arises from incomplete sandbox restrictions within Synthetic Monitor Playwright script execution, impacting versions 10.0.35 and earlier. A fix is available in version 10.0.35.

Impact and Attack Scenarios

The impact of CVE-2026-33396 is severe, enabling an attacker to gain complete control over the Probe container or host. By exploiting the incomplete sandbox restrictions in Synthetic Monitor Playwright scripts, a ProjectMember role can bypass intended security measures and execute arbitrary commands. This could lead to data exfiltration, system compromise, and potential disruption of monitoring services. The ability to execute commands within the Probe container significantly expands the attack surface, potentially allowing for lateral movement within the network if the Probe has access to other systems. This vulnerability shares similarities with other sandbox escape vulnerabilities where insufficient property/method blocking allows attackers to bypass security boundaries.

Exploitation Context

CVE-2026-33396 was publicly disclosed on 2026-03-26. The vulnerability is not currently listed on CISA KEV, but its critical severity warrants close monitoring. Public proof-of-concept (PoC) code is likely to emerge given the RCE nature and relatively straightforward exploitation path. Active exploitation campaigns are currently unconfirmed, but the vulnerability's ease of exploitation suggests a potential for opportunistic attacks.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.84% (75% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H10.0CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentoneuptime
VendorOneUptime
Affected rangeFixed in
< 10.0.35 – < 10.0.3510.0.36

Weakness Classification (CWE)

CWE-78CWE-184CWE-693

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-33396 is to immediately upgrade OneUptime to version 10.0.35 or later. If upgrading is not immediately feasible, consider implementing stricter access controls to limit the privileges of ProjectMember roles, restricting their ability to create or modify Synthetic Monitors. While not a complete solution, reviewing and auditing existing Synthetic Monitor Playwright scripts for potentially malicious code can help identify and mitigate immediate risks. Monitor system logs for unusual process executions originating from the Probe container. After upgrading, confirm the fix by attempting to execute a Playwright script with potentially malicious code and verifying that it is properly sandboxed and does not result in command execution.

How to fix

Update OneUptime to version 10.0.35 or higher. This version contains a fix for the remote command execution vulnerability. The update will prevent unauthorized users from executing arbitrary commands on the Probe container/host.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-33396 — RCE in OneUptime?

CVE-2026-33396 is a critical remote command execution vulnerability in OneUptime versions 10.0.35 and earlier, allowing authenticated users to execute arbitrary commands.

Am I affected by CVE-2026-33396 in OneUptime?

You are affected if you are using OneUptime version 10.0.35 or earlier and have users with ProjectMember roles who can create or modify Synthetic Monitors.

How do I fix CVE-2026-33396 in OneUptime?

Upgrade OneUptime to version 10.0.35 or later to resolve this vulnerability. Consider restricting ProjectMember privileges as an interim measure.

Is CVE-2026-33396 being actively exploited?

Active exploitation is currently unconfirmed, but the vulnerability's severity and ease of exploitation suggest a potential for opportunistic attacks.

Where can I find the official OneUptime advisory for CVE-2026-33396?

Refer to the OneUptime security advisories page for the latest information and official guidance: [https://oneuptime.com/security](https://oneuptime.com/security)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs