CVE-2026-27728 (CVSS 10): Critical Command Injection Flaw in OneUptime Probe Enables Full Server Takeover

If your organization relies on OneUptime to keep a watchful eye on website availability, APIs, and online dashboards, a newly disclosed vulnerability requires your immediate attention. Tracked as CVE-2026-27728, this security flaw carries a maximum severity score of 10.0 (Critical) and exposes servers to complete compromise through a classic but critical attack method.

The core of the issue is an Operating System (OS) Command Injection vulnerability (CWE-78) located within OneUptime’s NetworkPathMonitor component.

To understand how this works, we have to look at how the platform handles network diagnostic tools. When a user sets up a monitor to check a network path, the system uses a standard utility called traceroute. To execute this, the software takes the user-provided destination (like a website URL or IP address) and passes it directly to the server’s underlying operating system using a command execution function.

The fatal flaw here is a lack of “sanitization.” The system trusts the user’s input completely and does not strip away dangerous characters before running the command. An authenticated attacker can simply take a normal destination address and append shell metacharacters—such as semicolons (;), pipe symbols (|), or ampersands (&&)—followed by their own malicious commands.

Because the system uses a command that spawns a raw shell environment, the server will interpret and execute everything the attacker typed, treating the malicious instructions with the same authority as the legitimate traceroute request.

The consequences of this vulnerability are severe, particularly for multi-tenant SaaS deployments where multiple organizations share the same underlying infrastructure.

If an attacker—who only needs basic authenticated access to create or edit a network path monitor—exploits this flaw, they achieve Remote Code Execution (RCE). This grants them the ability to:

• Execute arbitrary commands: The attacker can run commands with the same privileges as the Probe service itself.

• Steal sensitive data: They can read highly confidential files stored on the server, including environment variables, database credentials, and service account tokens.

• Pivot and infiltrate: Because monitoring probes are often granted special access to view internal networks, an attacker can use the compromised server as a launching pad to attack other internal services that are normally hidden from the public internet.

• Establish backdoors: The attacker can plant reverse shells, malicious scheduled tasks, or unauthorized SSH keys to ensure they maintain access even after the initial vulnerability is patched.

The maintainers of OneUptime have successfully addressed this critical flaw.

• Affected Versions: All versions up to and including 10.0.6.

• Secured Version: Administrators must upgrade their instances to version 10.0.7 immediately.

Applying this patch ensures that the input is properly sanitized, neutralizing the threat before it can be actively exploited in the wild.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy