What is CVE-2026-27728?

It is a critical command injection vulnerability in OneUptime's Probe Server component with a CVSS score of 9.9.

How do attackers exploit this flaw?

Authenticated users inject shell metacharacters like semicolons or pipes into the destination field of a monitor configuration to run arbitrary OS commands.

What is the technical cause of the vulnerability?

The software used the Node.js exec() function, which spawns a shell and interprets special characters, instead of the safer execFile() method.

What is the impact of a successful attack?

Attackers gain remote code execution, allowing them to steal sensitive data, install malware, or move laterally through the network.

How can I fix this vulnerability?

Update OneUptime to version 10.0.7 or later, which replaces the vulnerable code with a secure command execution method.

Advisory

OneUptime Patches Critical Command Injection Vulnerability in Probe Servers

published: March 3, 2026

Take action: If you are using OneUptime, this is important. Consider Treat every authenticated user as a potential risk. Plan a very quick update your monitoring Probes to version 10.0.7. Ensure your monitoring infrastructure is isolated from your core production network to prevent lateral movement if it's compromised.

Learn More

OneUptime, an open-source platform for monitoring and managing online services, patched a critical security flaw in its Probe Server component.

The vulnerability is tracked as CVE-2026-27728 (CVSS score 9.9), allows authenticated users to execute arbitrary commands on the underlying host. The vulnerability stems from improper input handling within the NetworkPathMonitor.performTraceroute() function. This function processes traceroute operations by taking a user-supplied "destination" string and passing it to the Node.js child_process.exec() method. Because exec() spawns a shell to run commands, it interprets shell metacharacters like semicolons, pipes, and subshell syntax. An attacker can craft a malicious monitor configuration, such as example.com; cat /etc/passwd, to break out of the intended command and run unauthorized code with the privileges of the Probe server.

Successful exploitation grants an attacker full remote code execution (RCE) on the Probe server. Since Probe servers often require elevated network permissions to perform monitoring tasks, a compromise could expose internal services that are usually isolated from the public internet.

The flaw impacts OneUptime versions up to and including 10.0.6. Although the vulnerability requires authentication, any project user with basic permissions to create or edit monitors can trigger the exploit.

OneUptime released version 10.0.7 to resolve the issue by migrating from exec() to execFile(). Unlike the previous method, execFile() executes binaries directly with an array of arguments, preventing the shell from interpreting metacharacters. Administrators should update their instances immediately using the latest Docker images.

If patching is delayed, organizations should restrict monitor creation permissions to highly trusted users and isolate Probe servers within a segmented network to limit the potential blast radius.

OneUptime Patches Critical Command Injection Vulnerability in Probe Servers