Critical Flaw in OneUptime Probe Allows Server Takeover
A critical command injection vulnerability, CVE-2026-27728, has been disclosed in the OneUptime Probe monitoring tool. The flaw carries a CVSS score of 10.0, allowing for a full server takeover on affected deployments. Teams using OneUptime for API or dashboard monitoring are urged to patch immediately.
The vulnerability, discovered by security firm SentinelOne, resides in the `NetworkPathMonitor.performTraceroute()` function within the OneUptime Probe. This function improperly used the Node.js `exec()` command, which spawns a shell. This allowed any authenticated user, regardless of their permission level, to inject shell metacharacters (like `;`, `|`, `&`) into the "destination" field for a network traceroute monitor. By crafting a malicious destination string, an attacker could trick the server into executing arbitrary commands with the privileges of the Probe server process. For example, a destination like "example.com; cat /etc/passwd" would execute the legitimate traceroute and then also dump the password file. This provides a direct path to remote code execution (RCE) on the server hosting the probe. The exploit requires an attacker to have credentials for a project on a OneUptime instance, but even low-privilege accounts are sufficient to carry out the attack. Given that probe servers often run with elevated permissions to monitor infrastructure, this flaw could allow an attacker to dump sensitive files, install malware, or pivot to other systems within a network. OneUptime addressed the critical flaw in version 10.0.7 by replacing the vulnerable `exec()` function with `execFile()`. The `execFile()` function does not spawn a shell, instead running the command directly and treating arguments as an array, which prevents the interpretation of shell metacharacters and neutralizes the injection vector. OneUptime is an open-source observability platform positioned as a cost-effective alternative to services like Datadog, PagerDuty, and StatusPage.io. Its appeal lies in its all-in-one, self-hostable nature, which gives companies full control over their data and can lead to significant cost savings, often cited as 70-90% compared to bundled SaaS products. The platform has gained traction within the developer community, evidenced by over 6,500 stars on its GitHub repository. Its user base ranges from startups to large enterprises and Fortune 500 companies, who are often looking to consolidate monitoring tools and reduce unpredictable, per-host pricing models common with other vendors.
