Platform
nodejs
Component
oneuptime
Fixed in
10.0.36
CVE-2026-33396 is a critical remote command execution (RCE) vulnerability affecting OneUptime, an open-source monitoring and observability platform. This vulnerability allows a low-privileged authenticated user (ProjectMember) to execute arbitrary commands on the Probe container/host. The issue arises from incomplete sandbox restrictions within Synthetic Monitor Playwright script execution, impacting versions 10.0.35 and earlier. A fix is available in version 10.0.35.
The impact of CVE-2026-33396 is severe, enabling an attacker to gain complete control over the Probe container or host. By exploiting the incomplete sandbox restrictions in Synthetic Monitor Playwright scripts, a ProjectMember role can bypass intended security measures and execute arbitrary commands. This could lead to data exfiltration, system compromise, and potential disruption of monitoring services. The ability to execute commands within the Probe container significantly expands the attack surface, potentially allowing for lateral movement within the network if the Probe has access to other systems. This vulnerability shares similarities with other sandbox escape vulnerabilities where insufficient property/method blocking allows attackers to bypass security boundaries.
CVE-2026-33396 was publicly disclosed on 2026-03-26. The vulnerability is not currently listed on CISA KEV, but its critical severity warrants close monitoring. Public proof-of-concept (PoC) code is likely to emerge given the RCE nature and relatively straightforward exploitation path. Active exploitation campaigns are currently unconfirmed, but the vulnerability's ease of exploitation suggests a potential for opportunistic attacks.
Exploit Status
EPSS
0.84% (75% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33396 is to immediately upgrade OneUptime to version 10.0.35 or later. If upgrading is not immediately feasible, consider implementing stricter access controls to limit the privileges of ProjectMember roles, restricting their ability to create or modify Synthetic Monitors. While not a complete solution, reviewing and auditing existing Synthetic Monitor Playwright scripts for potentially malicious code can help identify and mitigate immediate risks. Monitor system logs for unusual process executions originating from the Probe container. After upgrading, confirm the fix by attempting to execute a Playwright script with potentially malicious code and verifying that it is properly sandboxed and does not result in command execution.
Update OneUptime to version 10.0.35 or higher. This version contains a fix for the remote command execution vulnerability. The update will prevent unauthorized users from executing arbitrary commands on the Probe container/host.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33396 is a critical remote command execution vulnerability in OneUptime versions 10.0.35 and earlier, allowing authenticated users to execute arbitrary commands.
You are affected if you are using OneUptime version 10.0.35 or earlier and have users with ProjectMember roles who can create or modify Synthetic Monitors.
Upgrade OneUptime to version 10.0.35 or later to resolve this vulnerability. Consider restricting ProjectMember privileges as an interim measure.
Active exploitation is currently unconfirmed, but the vulnerability's severity and ease of exploitation suggest a potential for opportunistic attacks.
Refer to the OneUptime security advisories page for the latest information and official guidance: [https://oneuptime.com/security](https://oneuptime.com/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.