OneUptime patches unauthenticated workflow execution via ManualAPI

TL;DR — OneUptime’s Worker ManualAPI exposed workflow execution endpoints without authentication, so an attacker who can obtain or guess a workflow ID can remotely trigger arbitrary workflows.

What happened

OneUptime is an open-source monitoring and observability platform.

CVE-2026-35053 describes a missing authentication issue in OneUptime’s Worker service ManualAPI: the workflow execution endpoints GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId were exposed without any authentication middleware. The CVE states that an attacker who can obtain or guess a workflow ID can trigger workflow execution with attacker-controlled input data, enabling JavaScript code execution, notification abuse, and data manipulation.

Severity is CVSS v4.0 9.2 (Critical). Missing-auth bugs on “internal” worker/admin APIs are a recurring failure mode in microservice-style systems because a single mis-routed or unintentionally exposed endpoint can become an internet-reachable control plane.

Who is impacted

• OneUptime deployments running versions prior to 10.0.42.
• Environments where the Worker service’s ManualAPI endpoints are reachable by untrusted users and workflow IDs can be discovered or guessed.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

  • "This issue has been patched in version 10.0.42."

• Inventory any production services running OneUptime and confirm the deployed version (images, artifacts, or release tags).
• Identify whether GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId are externally reachable in your deployment architecture, and prioritize those exposures for remediation.
• If compromise is suspected, review logs for unexpected calls to the manual workflow execution endpoints and investigate for workflow runs containing attacker-controlled input.