<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OneUptime - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/oneuptime/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 23 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/oneuptime/feed.xml" rel="self" type="application/rss+xml"/><item><title>OneUptime Remote Command Execution via Playwright Script Abuse (CVE-2026-33396)</title><link>https://feed.craftedsignal.io/briefs/2024-01-23-oneuptime-rce/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-23-oneuptime-rce/</guid><description>A low-privileged authenticated user can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution in OneUptime versions prior to 10.0.35.</description><content:encoded><![CDATA[<p>OneUptime, an open-source monitoring and observability platform, is vulnerable to remote command execution (RCE). This vulnerability, identified as CVE-2026-33396, affects versions prior to 10.0.35. A low-privileged, authenticated user with ProjectMember rights can exploit the Synthetic Monitor feature by injecting malicious Playwright scripts. The vulnerability resides within the VMRunner.runCodeInNodeVM function, where the code is executed with a live Playwright page object. The platform's sandbox, designed to prevent arbitrary code execution, relies on an incomplete denylist. The lack of proper filtering for properties like <code>_browserType</code> and methods like <code>launchServer</code> allows attackers to bypass the sandbox restrictions. This enables the attacker to traverse the object <code>page.context().browser()._browserType.launchServer(...)</code> and ultimately spawn arbitrary processes on the Probe container or host. This vulnerability poses a significant risk to organizations using OneUptime, potentially leading to complete system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A low-privileged user authenticates to the OneUptime platform as a ProjectMember.</li>
<li>The attacker accesses the Synthetic Monitor feature.</li>
<li>The attacker creates or modifies a synthetic monitor, injecting malicious JavaScript code within the Playwright script execution context.</li>
<li>The malicious script utilizes the <code>page.context().browser()</code> object to access the internal Playwright browser instance.</li>
<li>The script leverages the non-blocked <code>_browserType</code> property to gain access to browser management functionalities.</li>
<li>The script calls the <code>launchServer()</code> method via <code>page.context().browser()._browserType.launchServer(...)</code> to spawn a new process.</li>
<li>The attacker specifies an arbitrary command to be executed by the spawned process, bypassing the intended sandbox restrictions.</li>
<li>The arbitrary command executes on the Probe container/host, resulting in remote command execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33396 grants attackers the ability to execute arbitrary commands on the OneUptime Probe container or host. The observed damage includes unauthorized access to sensitive data, modification of system configurations, and potential lateral movement within the network. Given the nature of monitoring and observability platforms, this vulnerability could lead to a compromise of the entire monitored infrastructure. While the number of victims is unknown, all OneUptime instances running versions prior to 10.0.35 are susceptible.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OneUptime to version 10.0.35 or later to patch CVE-2026-33396.</li>
<li>Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting CVE-2026-33396.</li>
<li>Review and harden the Synthetic Monitor input validation and sanitization processes within OneUptime.</li>
<li>Implement strict network segmentation to limit the potential impact of a compromised Probe container/host.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>oneuptime</category><category>rce</category><category>playwright</category><category>cve-2026-33396</category><category>sandbox-escape</category><category>execution</category><category>linux</category></item></channel></rss>