CVE-2026-35053
CRITICALOneUptime: Unauthenticated Workflow Execution via ManualAPI
Title source: cnaDescription
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6c3w-7xg4-4cf7
X_Refsource_Misc x_refsource_misc
https://github.com/OneUptime/oneuptime/releases/tag/10.0.42
Scores
CVSS v3
9.8
EPSS
0.0055
EPSS Percentile
41.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (2)
hackerbay/oneuptime
< 10.0.42
OneUptime/oneuptime
< 10.0.42
Published
Apr 02, 2026
Tracked Since
Apr 03, 2026