PatchSiren cyber security CVE debrief

CVE-2026-45102 OneUptime CVE debrief

OneUptime, an open-source monitoring and observability platform, contains a critical sandbox escape vulnerability in versions prior to 10.0.98. The platform uses Node.js's `vm` module as an isolation primitive for executing untrusted code. However, the `vm` module was not designed for secure isolation and can be escaped through manipulation of error objects and infinite recursion techniques. Successful exploitation allows an attacker with low privileges to break out of the sandboxed environment, potentially achieving complete compromise of the host system with high impact to confidentiality, integrity, and availability. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, and changed scope—resulting in a critical 9.9 score. This vulnerability was disclosed on May 27, 2026, with a fix released in version 10.0.98. Organizations running OneUptime should prioritize upgrading to the patched version, as the `vm` module's architectural limitations make this class of vulnerability particularly dangerous for multi-tenant or externally-facing deployments.

Vendor: OneUptime
Product: Unknown
CVSS: CRITICAL 9.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations running OneUptime instances, particularly those with multi-tenant deployments, external user access, or integrations executing user-supplied code. DevOps teams, security engineers, and platform operators responsible for observability infrastructure should prioritize this patch.

Technical summary

The Node.js `vm` module provides a V8 virtual machine context for executing JavaScript code, but lacks the security boundaries required for untrusted code isolation. Attackers can exploit error object prototypes and infinite recursion to access the host context's global object, escaping the sandbox. This is a known architectural limitation of the `vm` module, which the Node.js documentation explicitly warns against using for untrusted code. OneUptime's use of this module for isolation prior to 10.0.98 created a critical attack surface.

Defensive priority

critical

Recommended defensive actions

Upgrade OneUptime to version 10.0.98 or later immediately
Audit any custom scripts or integrations using OneUptime's sandboxed execution features for signs of compromise
Consider implementing additional defense-in-depth controls such as container isolation or separate process boundaries for untrusted code execution
Review access controls to limit who can submit code for sandboxed execution
Monitor for anomalous process behavior or unexpected outbound connections from OneUptime instances

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-g9cp-35m2-fjv6. CWE-693 (Protection Mechanism Failure) classified. Fix version 10.0.98 explicitly stated in advisory.

Official resources

2026-05-27