OneUptime Synthetic Monitor RCE via exposed Playwright browser object
Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OneUptime Synthetic Monitors allow low-privileged users to execute arbitrary code on probe servers via injected Playwright objects, leading to RCE. Fixed in 10.0.20.
Root
Cause
The vulnerability lies in OneUptime's Synthetic Monitor feature, where low-privileged project users can submit custom Playwright code that is executed on the oneuptime-probe service. This code runs inside Node's vm module but is given access to live Playwright objects such as browser and page. This exposure creates a distinct server-side RCE primitive: attackers can directly use the injected browser object to call browser.browserType().launch(...) and spawn arbitrary executables on the probe host or container, bypassing traditional sandbox escape techniques [1][2].
Attack
Vector
A user with Project Member permissions (or lower, depending on access controls) can create or edit a synthetic monitor and embed malicious Playwright code. The code is executed on the probe service without proper isolation, as the vm sandbox does not protect against dangerous host capabilities injected into the untrusted code. No additional authentication or network position is required beyond accessing the Synthetic Monitor creation functionality [1][2].
Impact
Successful exploitation allows an attacker to achieve remote code execution on the probe host or container. This can lead to full compromise of the monitoring infrastructure, including lateral movement within the environment, data exfiltration, and disruption of monitoring services [1][2].
Mitigation
The vulnerability is fixed in OneUptime version 10.0.20. Users are strongly advised to upgrade immediately. No known workarounds are available, as the issue stems from fundamental design choices in sandboxing untrusted code [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@oneuptime/commonnpm | < 10.0.20 | 10.0.20 |
Affected products
2- OneUptime/oneuptimev5Range: < 10.0.20
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-4j36-39gm-8vq8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30921ghsaADVISORY
- github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorStep.tsxghsaWEB
- github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorTest.tsxghsaWEB
- github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/Monitor.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/MonitorTest.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Server/Utils/VM/VMRunner.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchList.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchMonitorTest.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/Monitor.tsghsaWEB
- github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/MonitorTypes/SyntheticMonitor.tsghsaWEB
- github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.