CVE-2026-27574: OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE

February 24, 2026

OneUptime lets project members write custom JavaScript that runs inside monitors. The problem is it executes that code using Node.js’s built-in vm module, which Node.js itself documents as “not a security mechanism — do not use it to run untrusted code.” The classic one-liner escape gives full access to the underlying process, and since the probe runs with host networking and holds all cluster credentials in its environment, this turns into a full cluster compromise for anyone who can register an account.

References

github.com/OneUptime/oneuptime
github.com/OneUptime/oneuptime/commit/7f9ed4d43945574702a26b7c206e38cc344fe427
github.com/OneUptime/oneuptime/security/advisories/GHSA-v264-xqh4-9xmm
github.com/advisories/GHSA-v264-xqh4-9xmm
nvd.nist.gov/vuln/detail/CVE-2026-27574

Code Behaviors & Features

Detect and mitigate CVE-2026-27574 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →