Platform
nodejs
Component
oneuptime
Fixed in
10.0.43
CVE-2026-35053 describes a Remote Code Execution (RCE) vulnerability affecting OneUptime, an open-source monitoring and observability platform. An attacker can exploit this flaw to trigger arbitrary workflow execution, potentially leading to significant data compromise and system control. This vulnerability impacts versions of OneUptime prior to 10.0.42 and has been resolved in version 10.0.42.
The vulnerability lies in the Worker service's ManualAPI, specifically the /workflow/manual/run/:workflowId endpoints (both GET and POST). These endpoints lack authentication middleware, meaning any attacker who can determine a valid workflowId can trigger workflow execution. Workflows in OneUptime can be configured to execute arbitrary JavaScript code, allowing attackers to inject malicious scripts and execute them on the server. This could lead to data exfiltration, modification of monitoring configurations, denial of service, or even complete system compromise. The ability to manipulate notifications also presents a risk of phishing campaigns or misleading alerts.
This vulnerability was publicly disclosed on 2026-04-02. There is currently no indication of active exploitation in the wild, but the lack of authentication makes it a high-risk vulnerability. The ease of exploitation, combined with the potential for significant impact, warrants immediate attention. No KEV listing is currently available.
Exploit Status
EPSS
0.12% (31% percentile)
CISA SSVC
The primary mitigation is to immediately upgrade OneUptime to version 10.0.42 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting access to the /workflow/manual/run/:workflowId endpoints. This can be achieved through a reverse proxy or WAF configured to require authentication for these specific URLs. Carefully review existing workflows to identify any potentially vulnerable configurations. After upgrading, confirm the fix by attempting to access the /workflow/manual/run/:workflowId endpoints without authentication and verifying that access is denied.
Update OneUptime to version 10.0.42 or higher. This version fixes the vulnerability that allows unauthenticated workflow execution. The update will prevent attackers from executing arbitrary JavaScript code, abusing notifications, or manipulating data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35053 is a Remote Code Execution vulnerability in OneUptime versions prior to 10.0.42, allowing attackers to trigger arbitrary workflow execution without authentication.
You are affected if you are running OneUptime version 10.0.42 or earlier. Immediately check your version and upgrade if necessary.
Upgrade to OneUptime version 10.0.42 or later. As a temporary workaround, restrict access to the /workflow/manual/run/:workflowId endpoints.
There is currently no confirmed active exploitation, but the vulnerability's ease of exploitation makes it a high-risk concern.
Refer to the OneUptime security advisories on their official website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.