Platform
nodejs
Component
oneuptime
Fixed in
10.0.22
CVE-2026-30958 describes a Path Traversal vulnerability discovered in OneUptime, a solution for monitoring and managing online services. This vulnerability allows unauthenticated attackers to read arbitrary files from the server's filesystem. The issue affects versions of OneUptime prior to 10.0.21, and a patch has been released to address it.
The impact of this vulnerability is significant due to its unauthenticated nature and the potential for widespread data exposure. An attacker can exploit this flaw by crafting a malicious request to the /workflow/docs/:componentName endpoint, manipulating the componentName parameter to access sensitive files such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the OneUptime server and potentially the underlying infrastructure. The ability to read arbitrary files bypasses typical access controls, making it a high-risk vulnerability.
This vulnerability was publicly disclosed on 2026-03-10. Currently, there are no known active campaigns exploiting this specific CVE. No proof-of-concept (PoC) code has been publicly released, but the ease of exploitation makes it likely that one will emerge. The vulnerability is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.14% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-30958 is to immediately upgrade OneUptime to version 10.0.21 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /workflow/docs/:componentName endpoint or restrict access to this endpoint based on IP address or user authentication. Additionally, review file permissions on the server to ensure that sensitive files are not accessible to the OneUptime user account. After upgrading, confirm the fix by attempting to access arbitrary files through the /workflow/docs/:componentName endpoint; the request should be denied.
Update OneUptime to version 10.0.21 or higher. This version fixes the path traversal vulnerability that allows arbitrary file reading without authentication. The update can be performed through the OneUptime administration panel or by following the update instructions provided by the vendor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30958 is a Path Traversal vulnerability affecting OneUptime versions before 10.0.21. It allows unauthenticated attackers to read arbitrary files from the server's filesystem.
Yes, if you are running OneUptime version 10.0.21 or earlier, you are vulnerable to this Path Traversal vulnerability.
Upgrade OneUptime to version 10.0.21 or later to resolve this vulnerability. Consider WAF rules as a temporary mitigation.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests potential for future attacks.
Refer to the OneUptime official security advisory for detailed information and updates regarding CVE-2026-30958.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.