{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/oneuptime/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OneUptime"],"_cs_severities":["critical"],"_cs_tags":["oneuptime","rce","playwright","cve-2026-33396","sandbox-escape","execution","linux"],"_cs_type":"advisory","_cs_vendors":["OneUptime"],"content_html":"\u003cp\u003eOneUptime, an open-source monitoring and observability platform, is vulnerable to remote command execution (RCE). This vulnerability, identified as CVE-2026-33396, affects versions prior to 10.0.35. A low-privileged, authenticated user with ProjectMember rights can exploit the Synthetic Monitor feature by injecting malicious Playwright scripts. The vulnerability resides within the VMRunner.runCodeInNodeVM function, where the code is executed with a live Playwright page object. The platform's sandbox, designed to prevent arbitrary code execution, relies on an incomplete denylist. The lack of proper filtering for properties like \u003ccode\u003e_browserType\u003c/code\u003e and methods like \u003ccode\u003elaunchServer\u003c/code\u003e allows attackers to bypass the sandbox restrictions. This enables the attacker to traverse the object \u003ccode\u003epage.context().browser()._browserType.launchServer(...)\u003c/code\u003e and ultimately spawn arbitrary processes on the Probe container or host. This vulnerability poses a significant risk to organizations using OneUptime, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privileged user authenticates to the OneUptime platform as a ProjectMember.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the Synthetic Monitor feature.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a synthetic monitor, injecting malicious JavaScript code within the Playwright script execution context.\u003c/li\u003e\n\u003cli\u003eThe malicious script utilizes the \u003ccode\u003epage.context().browser()\u003c/code\u003e object to access the internal Playwright browser instance.\u003c/li\u003e\n\u003cli\u003eThe script leverages the non-blocked \u003ccode\u003e_browserType\u003c/code\u003e property to gain access to browser management functionalities.\u003c/li\u003e\n\u003cli\u003eThe script calls the \u003ccode\u003elaunchServer()\u003c/code\u003e method via \u003ccode\u003epage.context().browser()._browserType.launchServer(...)\u003c/code\u003e to spawn a new process.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies an arbitrary command to be executed by the spawned process, bypassing the intended sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe arbitrary command executes on the Probe container/host, resulting in remote command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33396 grants attackers the ability to execute arbitrary commands on the OneUptime Probe container or host. The observed damage includes unauthorized access to sensitive data, modification of system configurations, and potential lateral movement within the network. Given the nature of monitoring and observability platforms, this vulnerability could lead to a compromise of the entire monitored infrastructure. While the number of victims is unknown, all OneUptime instances running versions prior to 10.0.35 are susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OneUptime to version 10.0.35 or later to patch CVE-2026-33396.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting CVE-2026-33396.\u003c/li\u003e\n\u003cli\u003eReview and harden the Synthetic Monitor input validation and sanitization processes within OneUptime.\u003c/li\u003e\n\u003cli\u003eImplement strict network segmentation to limit the potential impact of a compromised Probe container/host.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-23-oneuptime-rce/","summary":"A low-privileged authenticated user can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution in OneUptime versions prior to 10.0.35.","title":"OneUptime Remote Command Execution via Playwright Script Abuse (CVE-2026-33396)","url":"https://feed.craftedsignal.io/briefs/2024-01-23-oneuptime-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - OneUptime","version":"https://jsonfeed.org/version/1.1"}