Unrated severityNVD Advisory· Published Mar 10, 2026· Updated Mar 10, 2026

OneUptime: Path Traversal — Arbitrary File Read (No Auth)

CVE-2026-30958

Description

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.

Affected products

Hackerbay/Oneuptimellm-fuzzy
Range: <10.0.21
OneUptime/oneuptimev5
Range: < 10.0.21

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/OneUptime/oneuptime/releases/tag/10.0.21mitrex_refsource_MISC
github.com/OneUptime/oneuptime/security/advisories/GHSA-p2wh-9pw8-hvffmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000