CVE-2026-30957: OneUptime has Synthetic Monitor RCE via exposed Playwright browser object

March 10, 2026

OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container.

The root cause is that untrusted Synthetic Monitor code is executed inside Node’s vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable.

This is a server-side remote code execution issue. It does not require a separate vm sandbox escape.

References

github.com/OneUptime/oneuptime
github.com/OneUptime/oneuptime/releases/tag/10.0.21
github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q
github.com/advisories/GHSA-jw8q-gjvg-8w4q
nvd.nist.gov/vuln/detail/CVE-2026-30957

Code Behaviors & Features

Detect and mitigate CVE-2026-30957 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →