OneUptime Synthetic Monitor RCE via exposed Playwright browser object
Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A low-privileged authenticated user can achieve remote code execution on the OneUptime probe server by injecting malicious Playwright API calls via Synthetic Monitors.
Vulnerability
Overview
CVE-2026-30957 is a server-side remote code execution vulnerability in OneUptime versions prior to 10.0.21. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm module while live host-realm Playwright browser and page objects are exposed page objects are accessible to that code. This design flaw allows a low-privileged authenticated project user to craft a malicious monitor that calls Playwright APIs on the injected browser object, causing the probe to spawn an attacker-controlled executable [1][2].
Exploitation
An attacker with project member permissions can create or edit Synthetic Monitors. Because the monitor code runs in a vm context that has direct access to the host's Playwright browser and page objects, the attacker does not need to escape a sandbox; they can simply invoke Playwright methods such as child_process.spawn or similar APIs to execute arbitrary commands on the oneuptime-probe server or container [1][2].
Impact
Successful exploitation grants the attacker arbitrary command execution on the probe server. This can lead to full compromise of the monitoring infrastructure, including access to sensitive data, lateral movement within the environment, and disruption of monitoring services [1][2].
Mitigation
The vulnerability is fixed in OneUptime version 10.0.21 [1][4]. Users should upgrade immediately. No workarounds are documented; the fix likely involves restricting the execution context or removing direct access to host-realm objects [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@oneuptime/commonnpm | < 10.0.21 | 10.0.21 |
Affected products
2- OneUptime/oneuptimev5Range: < 10.0.21
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jw8q-gjvg-8w4qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30957ghsaADVISORY
- github.com/OneUptime/oneuptime/releases/tag/10.0.21ghsax_refsource_MISCWEB
- github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.