OneUptime Flaws Allowed Unauthenticated Workflow Runs and Notification Abuse
Two high-severity vulnerabilities in OneUptime exposed unauthenticated endpoints that let remote attackers trigger sensitive actions without logging in. In versions before 10.0.42, the Worker service's GET and POST /workflow/manual/run/:workflowId endpoints lacked authentication, allowing anyone who knew or guessed a workflow ID to execute workflows with attacker-controlled input. The issue could lead to JavaScript execution, notification abuse, and unauthorized data manipulation, and was tracked as CVE-2026-35053 under CWE-306.
A separate flaw, CVE-2026-34759, affected notification API endpoints exposed through the Nginx proxy at /notification/ without the expected authorization middleware. Attackers could combine those endpoints with a projectId leak from the public Status Page API to abuse a victim's Twilio account, purchase phone numbers, delete existing alerting numbers, disrupt service, and expose SMTP credentials. Both vulnerabilities were disclosed through GitHub security advisories and patched in OneUptime 10.0.42.
Timeline
Apr 2, 2026
GitHub security advisories disclose CVE-2026-34759 and CVE-2026-35053
On April 2, 2026, GitHub security advisories disclosed two OneUptime vulnerabilities: CVE-2026-34759, which allowed unauthenticated abuse of notification APIs including Twilio phone number purchase and SMTP credential exposure, and CVE-2026-35053, which allowed unauthenticated manual workflow execution with attacker-controlled input.
Apr 2, 2026
OneUptime releases version 10.0.42 to patch two unauthenticated endpoint flaws
OneUptime fixed two vulnerabilities affecting versions prior to 10.0.42 by releasing version 10.0.42. The patched issues involved exposed notification API endpoints and unauthenticated workflow execution endpoints in the Worker service.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
OneUptime Flaws Enabled Forged WhatsApp Webhooks and Probe Command Execution
Two high-severity vulnerabilities were disclosed in **OneUptime**, an open-source monitoring and observability platform, affecting webhook handling and synthetic monitoring. **CVE-2026-33143** impacts versions before `10.0.34` and stems from missing verification of the Meta/WhatsApp `X-Hub-Signature-256` HMAC signature in the `POST /notification/whatsapp/webhook` handler. An unauthenticated attacker could forge WhatsApp status update payloads, manipulate notification delivery records, suppress alerts, and corrupt audit trails. The issue was classified as `CWE-345` and patched in version `10.0.34`. A second flaw, **CVE-2026-33396**, affects versions before `10.0.35` and allows a low-privileged authenticated user with the **ProjectMember** role to achieve remote command execution on the Probe container or host through Synthetic Monitor Playwright script execution. The weakness lies in `VMRunner.runCodeInNodeVM`, where sandboxed code retained access to a live Playwright page object and could reach dangerous methods such as `_browserType.launchServer(...)`, bypassing an incomplete denylist. The vulnerability was mapped to `CWE-78`, `CWE-693`, and `CWE-184`, carries a `CVSS:3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` rating, and was fixed in **OneUptime** version `10.0.35`.
1 months ago
Critical Remote Code Execution Vulnerability in n8n Workflow Automation Platform
A critical remote code execution vulnerability, tracked as CVE-2026-21877, has been identified in the n8n workflow automation platform. The flaw, rated CVSS 10.0, allows authenticated users to execute arbitrary code on affected n8n instances, posing a significant risk to environments where n8n is used to automate workflows with access to sensitive data, internal systems, and credentials. The vulnerability impacts n8n versions from 0.123.0 up to but not including 1.121.3, affecting both self-hosted and managed deployments. Exploitation requires authenticated access, and the vulnerability is linked to unsafe handling that can result in the execution of untrusted code. The issue has been addressed in n8n version 1.121.3 and later, and users are strongly advised to upgrade immediately to mitigate the risk. Additional recommendations include restricting workflow modification access to trusted administrators, blocking high-risk nodes at runtime, and reviewing audit logs for suspicious activity prior to patching. No public exploit details or proof-of-concept have been released as of the latest advisories. Organizations using n8n should prioritize patching and implement hardening measures to prevent potential compromise of their automation infrastructure.
1 months ago
Critical Remote Code Execution Vulnerabilities in n8n Workflow Automation Platform
A critical vulnerability, CVE-2025-68613, has been discovered in the n8n open-source workflow automation platform, allowing authenticated users with workflow creation or editing permissions to execute arbitrary system commands on the underlying server. This flaw, rated 9.9 on the CVSS scale, stems from improper sandboxing of JavaScript expressions within workflow definitions, enabling attackers to escape restrictions and gain system-level access. The vulnerability does not require administrative privileges, making it a significant risk in environments with multiple users or weak access controls, and could lead to full system compromise, data exfiltration, workflow sabotage, and lateral movement. Another related vulnerability, CVE-2025-68668, also enables sandbox escape in n8n, turning workflows into potential attack vectors. Both vulnerabilities highlight the urgent need for organizations using n8n to review user permissions, apply available patches, and implement strong access controls to mitigate the risk of exploitation. While there is no current evidence of active exploitation, the ease of attack and the platform's popularity make immediate remediation essential.
1 months ago