CVE-2026-35053

UNKNOWN 0.0

OneUptime: Unauthenticated Workflow Execution via ManualAPI

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

28th

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication middleware. An attacker who can obtain or guess a workflow ID can trigger arbitrary workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation. This issue has been patched in version 10.0.42.

CWE	CWE-306
Vendor	oneuptime
Product	oneuptime
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for oneuptime oneuptime

Be the first to know when new unknown vulnerabilities affecting oneuptime oneuptime are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

OneUptime / oneuptime

< 10.0.42

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6c3w-7xg4-4cf7 github.com: https://github.com/OneUptime/oneuptime/releases/tag/10.0.42