How is CVE-2026-45102 exploited?

Network reachability (required): The vulnerable service is exposed over the network, so the attacker must be able to reach it via a standard network connection. Authentication (required): A low-privilege account is sufficient; any authenticated user of the OneUptime platform can trigger the sandbox escape. Victim interaction (not-required): No victim interaction is needed; the attacker can trigger the escape directly without social engineering or user participation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-45102?

A successful attacker escapes the Node.js vm sandbox and executes arbitrary code in the context of the OneUptime server process. With high confidentiality impact, the attacker reads secrets, credentials, environment variables, and any monitoring data stored or in-flight on the host. With high integrity impact, the attacker modifies persisted monitoring configuration, incident records, and alert routing rules. With high availability impact and a Changed scope, the attacker crashes or destabilizes the OneUptime service and can affect other components sharing the same host or cluster node.

Back to search

CRITICALCVE-2026-45102Published 2026-05-27Modified 2026-05-30CNA GitHub_M

CVE-2026-45102: OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion

OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A sandbox escape vulnerability in OneUptime, the open-source monitoring and observability platform, allows an authenticated attacker to break out of the Node.js vm module sandbox via crafted error objects and infinite recursion. The vulnerability is reachable over the network and requires only a low-privilege account; no victim interaction is needed. Successful exploitation gives the attacker full remote code execution on the host with high impact to confidentiality, integrity, and availability. Although the fix is available in version 10.0.98, no patched-image rebuild is currently listed; HarborGuard is tracking the advisory and will make a rebuild available as soon as an upstream fix image is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-45102 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the oneuptime package. Any image in a connected registry or CI pipeline running a version below 10.0.98 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 9.9 Critical using the published v3.1 vector, and surfaces it with per-environment compliance policy weighting so high-risk findings are routed to the appropriate team inbox inside each customer org. The Scope:Changed token is preserved in triage metadata, signaling that exploitation can affect resources beyond the vulnerable component itself.

Available

Patch

Because no patched base image has been published upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed image is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the upstream fix becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service is exposed over the network, so the attacker must be able to reach it via a standard network connection.
AuthenticationRequired
A low-privilege account is sufficient; any authenticated user of the OneUptime platform can trigger the sandbox escape.
Victim interactionNot required
No victim interaction is needed; the attacker can trigger the escape directly without social engineering or user participation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

A successful attacker escapes the Node.js vm sandbox and executes arbitrary code in the context of the OneUptime server process.
With high confidentiality impact, the attacker reads secrets, credentials, environment variables, and any monitoring data stored or in-flight on the host.
With high integrity impact, the attacker modifies persisted monitoring configuration, incident records, and alert routing rules.
With high availability impact and a Changed scope, the attacker crashes or destabilizes the OneUptime service and can affect other components sharing the same host or cluster node.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical sandbox-escape is active now, matching all scanned images against the affected version range for oneuptime. Because no upstream fix image has been published yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment version 10.0.98 or later appears in the upstream feed. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual steps required. In the interim, where compliance policy permits, teams can apply compensating controls such as network-policy rules that restrict which identities can reach the OneUptime sandbox execution endpoint, egress filtering to limit what a compromised process can connect to, and feature-flag gating to disable user-supplied script execution until the patch is applied.

See how HarborGuard automates this

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

OneUptime / oneuptime
< 10.0.98

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-g9cp-35m2-fjv6