OneUptime Flaws Enabled Forged WhatsApp Webhooks and Probe Command Execution
Two high-severity vulnerabilities were disclosed in OneUptime, an open-source monitoring and observability platform, affecting webhook handling and synthetic monitoring. CVE-2026-33143 impacts versions before 10.0.34 and stems from missing verification of the Meta/WhatsApp X-Hub-Signature-256 HMAC signature in the POST /notification/whatsapp/webhook handler. An unauthenticated attacker could forge WhatsApp status update payloads, manipulate notification delivery records, suppress alerts, and corrupt audit trails. The issue was classified as CWE-345 and patched in version 10.0.34.
A second flaw, CVE-2026-33396, affects versions before 10.0.35 and allows a low-privileged authenticated user with the ProjectMember role to achieve remote command execution on the Probe container or host through Synthetic Monitor Playwright script execution. The weakness lies in VMRunner.runCodeInNodeVM, where sandboxed code retained access to a live Playwright page object and could reach dangerous methods such as _browserType.launchServer(...), bypassing an incomplete denylist. The vulnerability was mapped to CWE-78, CWE-693, and CWE-184, carries a CVSS:3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H rating, and was fixed in OneUptime version 10.0.35.
Timeline
Mar 26, 2026
CVE-2026-33396 disclosed for OneUptime Playwright sandbox escape
CVE-2026-33396 was documented as a vulnerability in OneUptime versions prior to 10.0.35, enabling authenticated low-privilege users to execute arbitrary commands through the Synthetic Monitor Playwright runtime. Public details explained that attackers could reach _browserType.launchServer via page.context().browser() to spawn processes.
Mar 26, 2026
OneUptime fixes Synthetic Monitor sandbox escape in v10.0.35
OneUptime released version 10.0.35 to address a sandbox escape in the Synthetic Monitor Playwright runtime. The flaw allowed a low-privileged ProjectMember user to achieve remote command execution on the Probe container or host by abusing exposed Playwright objects and incomplete sandbox restrictions.
Mar 20, 2026
CVE-2026-33143 publicly disclosed for OneUptime
A high-severity vulnerability, CVE-2026-33143, was publicly disclosed for OneUptime, describing missing signature verification in the /notification/whatsapp/webhook endpoint. The flaw could let unauthenticated attackers forge webhook payloads, suppress alerts, and corrupt audit trails.
Mar 20, 2026
OneUptime patches WhatsApp webhook signature verification flaw in v10.0.34
OneUptime fixed a vulnerability in the WhatsApp POST webhook handler that failed to verify the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing forged status update payloads to manipulate notification records and audit trails. The issue affected versions prior to 10.0.34.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
OneUptime Flaws Allowed Unauthenticated Workflow Runs and Notification Abuse
Two high-severity vulnerabilities in **OneUptime** exposed unauthenticated endpoints that let remote attackers trigger sensitive actions without logging in. In versions before `10.0.42`, the Worker service's `GET` and `POST /workflow/manual/run/:workflowId` endpoints lacked authentication, allowing anyone who knew or guessed a workflow ID to execute workflows with attacker-controlled input. The issue could lead to JavaScript execution, notification abuse, and unauthorized data manipulation, and was tracked as **`CVE-2026-35053`** under **`CWE-306`**. A separate flaw, **`CVE-2026-34759`**, affected notification API endpoints exposed through the Nginx proxy at `/notification/` without the expected authorization middleware. Attackers could combine those endpoints with a `projectId` leak from the public Status Page API to abuse a victim's Twilio account, purchase phone numbers, delete existing alerting numbers, disrupt service, and expose SMTP credentials. Both vulnerabilities were disclosed through GitHub security advisories and patched in **OneUptime `10.0.42`**.
1 months ago
OpenHarness Flaws Exposed Remote Administrative and Plugin Management Commands
Two high-severity vulnerabilities in **OpenHarness** exposed administrative functionality to remote users through the platform’s gateway and channel layers. `CVE-2026-40502` affects versions prior to commit `dd1d235` and stems from insufficient separation between local-only and remote-safe commands in the gateway handler, allowing remote gateway users with chat access to invoke sensitive administrative actions such as changing permission modes on a running instance without operator approval. The issue is classified as `CWE-862` and carries a CVSS v3.1 score vector of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. A second flaw, `CVE-2026-6819`, affects HKUDS OpenHarness prior to the fix delivered in pull request `#156` and later release `v0.1.7`, exposing plugin lifecycle commands including `/plugin install`, `/plugin enable`, `/plugin disable`, and `/reload-plugins` to remote senders by default. An attacker who gains access through the channel layer could use the weakness to install or activate untrusted plugins and alter plugin trust state remotely, creating a path to full compromise of confidentiality, integrity, and availability. The vulnerability is tracked as `CWE-276` with CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`.
2 weeks ago
Multiple Critical Vulnerabilities and Active Exploitation Across SolarWinds WHD and Ivanti EPMM
Microsoft Defender researchers reported a multi-stage intrusion campaign exploiting **internet-exposed SolarWinds Web Help Desk (WHD)** servers to establish stealthy persistence and enable lateral movement toward broader domain compromise. After initial access, attackers created a scheduled task to start a hidden **QEMU** virtual machine under `SYSTEM`, using QEMU port forwarding (e.g., `hostfwd=tcp::22022-:22`) to provide a concealed SSH access path. The activity also included credential-theft tradecraft via **DLL sideloading**, abusing `wab.exe` to load a malicious `sspicli.dll`, enabling access to **LSASS** memory while attempting to evade common detections. Separately, active exploitation was reported against **Ivanti Endpoint Manager Mobile (EPMM)** appliances following disclosure of two critical flaws—**CVE-2026-1281** (authentication bypass) and **CVE-2026-1340** (remote code execution)—with intrusions observed dropping an artifact at `/mifs/403.jsp`. The observed payloads differed from typical interactive webshells: attackers delivered a Base64-encoded Java class (with `CAFEBABE` header) acting as a **dormant in-memory class loader** (e.g., `base.Info` compiled from `Info.java`) that waits for a later activation request to load and execute a second-stage class in memory, including an unusual entry point using `equals(Object)` rather than standard servlet handlers. In parallel with these exploitation reports, two unrelated critical vulnerability disclosures were highlighted: **Keylime** registrar misconfiguration (**CVE-2026-1709**, CVSS 9.4) that effectively disables **mTLS client certificate enforcement** (affected versions `7.12.0`–`7.13.0`), and a **Microsoft Semantic Kernel .NET SDK** arbitrary file write (**CVE-2026-25592**, CVSS 10.0) in `SessionsPythonPlugin` (`DownloadFileAsync`/`UploadFileAsync`) that can allow overwriting files via insufficient path validation.
1 months ago