GHSA-H343-GG57-2Q67: CVE-2026-27574: Remote Code Execution in OneUptime Probe via VM Sandbox Escape
Published: (March 6, 2026 at 09:40 PM EST)
2 min read
Source: Dev.to
Source: Dev.to
](CVE-2026-27574: Remote Code Execution in OneUptime Probe via VM Sandbox Escape
- Vulnerability ID: GHSA-H343-GG57-2Q67
- CVSS Score: 10.0
- Published: 2026-03-07
TL;DR
The OneUptime Probe executes user‑defined monitoring scripts using the insecure Node.js vm module. Attackers can escape this sandbox via this.constructor.constructor, gaining full RCE on the host and access to all cluster secrets. Fixed in version 10.0.5 by migrating to isolated-vm.
⚠️ Exploit Status: PoC
Technical Details
- CWE ID: CWE-94
- CVSS v3.1: 10.0 (Critical)
- Attack Vector: Network
- EPSS Score: 0.00055
- Privileges Required: Low (Project Member)
- Exploit Status: PoC Available
Affected Systems
- OneUptime Probe
- OneUptime Synthetic Monitor Component
Versions: OneUptime ≤ 9.5.13 (Fixed in 10.0.5)
Code Analysis
Commit: 7f9ed4d – fix: security vulnerability in probe
// Diff shows removal of 'node:vm' usage and introduction of 'isolated-vm' logic in SyntheticMonitor/Worker.tsExploit Details
- GitHub Security Advisory: Advisory containing PoC and technical details
Mitigation Strategies
- Upgrade to version 10.0.5 or later
- Rotate all cluster secrets (Database, Redis, OneUptime Secret)
- Disable Synthetic Monitor functionality if patching is delayed
- Restrict “Project Member” access to trusted personnel
Remediation Steps
- Pull the latest OneUptime Docker images (tag 10.0.5+).
- Redeploy the OneUptime Probe and API services.
- Generate new passwords for PostgreSQL, Redis, and ClickHouse.
- Update the
ONEUPTIME_SECRETvariable in the deployment configuration. - Restart the entire cluster to apply the new credentials.
- Verify that existing monitors continue to function correctly.