OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE

The impact of CVE-2026-27574 is severe. The vulnerability stems from the way OneUptime allows users to define custom JavaScript monitors. These monitors are executed within Node.js using the vm module, which is explicitly documented by Node.js as unsuitable for running untrusted code. An attacker who can register an account can inject malicious JavaScript code into a monitor. This code then executes with the privileges of the OneUptime probe process, which has host networking access and holds all cluster credentials in its environment. This effectively grants the attacker complete control over the cluster, enabling them to steal sensitive data, modify configurations, and potentially pivot to other systems within the network. The attack pattern mirrors scenarios where untrusted code execution within a containerized environment leads to complete container breakout and host compromise.

Organizations using OneUptime with custom JavaScript monitors are at risk. This includes teams relying on OneUptime for application performance monitoring and those who have granted project members the ability to create and manage custom monitors. Shared hosting environments where multiple users share the same OneUptime instance are particularly vulnerable, as a compromised account could impact all users on the host.

• nodejs / server:

ps aux | grep 'node -e' | grep '@oneuptime/common'

• nodejs / server:

journalctl -u oneuptime -g 'VMRunner.t'

• generic web: Use curl to check for exposed monitor endpoints and attempt to inject simple JavaScript payloads to test for RCE.

curl 'http://<oneuptime_server>/monitor/execute?script=<malicious_javascript>'

1. 2026-02-24Disclosure

   disclosure

2. 2026-02-24Patch

   patch

1. आरक्षित2026-02-20
2. प्रकाशित2026-02-24
3. EPSS अद्यतन2026-03-23

The primary mitigation for CVE-2026-27574 is to immediately upgrade to version 10.0.0 or later of the @oneuptime/common package. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization for any user-supplied JavaScript code used in monitors. While not a complete solution, this can reduce the attack surface. Review existing monitors for any suspicious or unusual code. Consider implementing a Web Application Firewall (WAF) with rules to detect and block malicious JavaScript payloads targeting the monitor execution endpoint. Monitor system logs for unusual process activity or unexpected network connections originating from the OneUptime probe process. After upgrading, confirm the fix by attempting to execute a known malicious payload within a monitor and verifying that it is blocked or fails to execute.