Cyber Posture

CVE-2026-35053

CriticalPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 31.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can…

more

trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Directly addresses the CVE by requiring limitation of actions permitted without authentication, preventing unauthenticated access to workflow execution endpoints.

AC-3 Access Enforcement good match
prevent

Mandates enforcement mechanisms for access control policies, ensuring authentication middleware blocks unauthorized workflow triggers.

IA-2 Identification and Authentication (Organizational Users) good match
prevent

Requires identification and authentication of users or processes before accessing critical functions like workflow execution APIs.

Security SummaryAI

CVE-2026-35053 is a critical vulnerability in OneUptime, an open-source monitoring and observability platform, affecting versions prior to 10.0.42. The issue lies in the Worker service's ManualAPI, which exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. Classified under CWE-306 (Missing Authentication for Critical Function), it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete confidentiality, integrity, and availability impacts.

Any remote attacker who can obtain or guess a valid workflow ID can exploit these unauthenticated endpoints to trigger arbitrary workflow execution with attacker-controlled input data. Successful exploitation enables JavaScript code execution, abuse of notification mechanisms, and manipulation of data within the platform, potentially leading to full compromise depending on the workflows configured.

The vulnerability has been patched in OneUptime version 10.0.42. Mitigation details are available in the GitHub release notes at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42 and the security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6c3w-7xg4-4cf7.

Details

CWE(s)
CWE-306

Affected Products

hackerbay
oneuptime
≤ 10.0.42

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

The vulnerability provides unauthenticated remote access to public-facing workflow execution endpoints (T1190), enabling arbitrary JavaScript code execution via attacker-controlled inputs (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References