Ddos 
OneUptime, a popular multi-tenant platform for monitoring websites and APIs, has released urgent patches to address two maximum-severity vulnerabilities. These flaws, both carrying a CVSS score of 10.0, could allow a low-privileged user to bypass security boundaries, access sensitive data belonging to other organizations, and even seize full control of victim accounts.
The vulnerabilities affect the core of OneUptime’s authorization and monitoring components, making immediate updates essential for all self-hosted deployments.
The first critical issue, tracked as CVE-2026-30956, is an authorization bypass that fundamentally breaks the “tenant isolation” that keeps different customers’ data separate.
The root cause is a misplaced trust in client-supplied data. By sending a forged is-multi-tenant-query header along with a specific projectid, an attacker can trick the server into skipping internal permission checks. According to the report, this allows an attacker to:
- Access Project Data: View monitoring data belonging to any other tenant on the system.
- Leak Credentials: Read sensitive user fields through nested data relations.
- Seize Accounts: Intercept plaintext password reset tokens to change a victim’s password and fully take over their account.
The second vulnerability, CVE-2026-30957, is a Server-Side Remote Code Execution (RCE) flaw found in the OneUptime Synthetic Monitor component. Synthetic monitors typically allow users to run scripts to test their services, but this implementation contained a dangerous oversight.
While the monitor code is intended to run in a restricted environment, researchers found that a Playwright browser object was accidentally exposed to the untrusted code. A malicious user can call Playwright APIs on this injected object to spawn an attacker-controlled executable directly on the oneuptime-probe server.
The impact of this RCE is severe:
- No Sandbox Escape Required: The vulnerability allows for direct execution on the host realm.
- Infrastructure Access: Attackers can gain access to internal services, Kubernetes metadata, and database or proxy credentials within the cluster.
OneUptime has addressed these issues in version 10.0.21. All users running version 10.0.20 or lower are urged to update their deployments immediately to protect against cross-tenant data exposure and server compromise.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
