Cyber Posture

CVE-2026-30958

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0021 43.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path…

more

passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the path traversal vulnerability by requiring validation and sanitization of the unsanitized componentName parameter before file path construction.

AC-3 Access Enforcement good match
prevent

Enforces logical access controls to prevent unauthorized reading of arbitrary server filesystem files via the vulnerable endpoint.

IA-8 Identification and Authentication (Non-organizational Users) good match
prevent

Requires identification and authentication for non-organizational users, blocking unauthenticated remote exploitation of the path traversal endpoint.

Security SummaryAI

CVE-2026-30958 is an unauthenticated path traversal vulnerability (CWE-22) in OneUptime, a solution for monitoring and managing online services. Versions prior to 10.0.21 are affected, specifically the /workflow/docs/:componentName endpoint. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts without sanitization or authentication middleware, allowing attackers to read arbitrary files from the server filesystem.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Successful exploitation enables reading of arbitrary files, resulting in low confidentiality and integrity impacts but no availability impact. The CVSS v3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting high severity due to the changed scope.

The vulnerability is fixed in OneUptime version 10.0.21. Mitigation details are available in the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p2wh-9pw8-hvff and the release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.21.

Details

CWE(s)
CWE-22

Affected Products

hackerbay
oneuptime
≤ 10.0.21

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Unauthenticated path traversal in public-facing web endpoint (T1190: Exploit Public-Facing Application) enables arbitrary file reads from the local filesystem (T1005: Data from Local System).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References