{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29779", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.898Z", "datePublished": "2026-03-07T15:19:38.593Z", "dateUpdated": "2026-03-09T18:27:06.064Z"}, "containers": {"cna": {"title": "UptimeFlare: Montior config / Credentials in `workerConfig` exposed in client-side JavaScript bundle", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/lyc8503/UptimeFlare/security/advisories/GHSA-36q9-v7p3-vj6v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lyc8503/UptimeFlare/security/advisories/GHSA-36q9-v7p3-vj6v"}, {"name": "https://github.com/lyc8503/UptimeFlare/issues/198", "tags": ["x_refsource_MISC"], "url": "https://github.com/lyc8503/UptimeFlare/issues/198"}, {"name": "https://github.com/lyc8503/UptimeFlare/commit/377a5963c66ba9a798abebfe8d80378b053435e9", "tags": ["x_refsource_MISC"], "url": "https://github.com/lyc8503/UptimeFlare/commit/377a5963c66ba9a798abebfe8d80378b053435e9"}], "affected": [{"vendor": "lyc8503", "product": "UptimeFlare", "versions": [{"version": "< 377a5963c66ba9a798abebfe8d80378b053435e9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:19:38.593Z"}, "descriptions": [{"lang": "en", "value": "UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains sensitive data) from the same module. Due to pages/incidents.tsx importing and using workerConfig directly inside client-side component code, the entire workerConfig object was included in the client-side JavaScript bundle served to all visitors. This issue has been patched via commit 377a596."}], "source": {"advisory": "GHSA-36q9-v7p3-vj6v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:43:37.233547Z", "id": "CVE-2026-29779", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:27:06.064Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29779", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T17:43:37.233547Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:43:38.270Z"}}], "cna": {"title": "UptimeFlare: Montior config / Credentials in `workerConfig` exposed in client-side JavaScript bundle", "source": {"advisory": "GHSA-36q9-v7p3-vj6v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "lyc8503", "product": "UptimeFlare", "versions": [{"status": "affected", "version": "< 377a5963c66ba9a798abebfe8d80378b053435e9"}]}], "references": [{"url": "https://github.com/lyc8503/UptimeFlare/security/advisories/GHSA-36q9-v7p3-vj6v", "name": "https://github.com/lyc8503/UptimeFlare/security/advisories/GHSA-36q9-v7p3-vj6v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/lyc8503/UptimeFlare/issues/198", "name": "https://github.com/lyc8503/UptimeFlare/issues/198", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/lyc8503/UptimeFlare/commit/377a5963c66ba9a798abebfe8d80378b053435e9", "name": "https://github.com/lyc8503/UptimeFlare/commit/377a5963c66ba9a798abebfe8d80378b053435e9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains sensitive data) from the same module. Due to pages/incidents.tsx importing and using workerConfig directly inside client-side component code, the entire workerConfig object was included in the client-side JavaScript bundle served to all visitors. This issue has been patched via commit 377a596."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:19:38.593Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29779", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:27:06.064Z", "dateReserved": "2026-03-04T16:26:02.898Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T15:19:38.593Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lyc8503:uptimeflare:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F0BF86D-7167-41AE-A8B1-CC603467A5C2", "versionEndExcluding": "2026-03-04", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains sensitive data) from the same module. Due to pages/incidents.tsx importing and using workerConfig directly inside client-side component code, the entire workerConfig object was included in the client-side JavaScript bundle served to all visitors. This issue has been patched via commit 377a596."}, {"lang": "es", "value": "UptimeFlare es una soluci\u00f3n sin servidor de monitoreo de tiempo de actividad y p\u00e1gina de estado, impulsada por Cloudflare Workers. Antes del commit 377a596, el archivo de configuraci\u00f3n uptime.config.ts exportaba tanto pageConfig (seguro para uso del cliente) como workerConfig (solo para servidor, contiene datos sensibles) desde el mismo m\u00f3dulo. Debido a que pages/incidents.tsx importaba y usaba workerConfig directamente dentro del c\u00f3digo del componente del lado del cliente, el objeto workerConfig completo se incluy\u00f3 en el paquete JavaScript del lado del cliente servido a todos los visitantes. Este problema ha sido parcheado mediante el commit 377a596."}], "id": "CVE-2026-29779", "lastModified": "2026-03-11T22:07:38.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T16:15:54.953", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/lyc8503/UptimeFlare/commit/377a5963c66ba9a798abebfe8d80378b053435e9"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/lyc8503/UptimeFlare/issues/198"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/lyc8503/UptimeFlare/security/advisories/GHSA-36q9-v7p3-vj6v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,377a5963c66ba9a798abebfe8d80378b053435e9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "UptimeFlare", "source": "cna", "vendor": "lyc8503"}, "product": "uptimeflare", "vendor": "lyc8503"}], "analysis": {"en": {"generated_at": "2026-04-18T09:46:57.332304+00:00", "value": {"mitigation_remediation": ["Deploy the patch provided in commit 377a596 or upgrade to a UptimeFlare release that contains the fix. This removes the workerConfig reference from client\u2011side code.", "Configure the build process to exclude server\u2011only configuration modules from client bundles, ensuring that worker\u2011specific data never reaches the browser. This can be achieved by adjusting module resolution rules or adding explicit ignore directives in the build tooling.", "Audit the UptimeFlare code base to ensure that trusted configuration data is only imported into server\u2011side or Cloudflare Worker code, and never into components that run in the browser."], "summary": {"action": "Apply Patch", "impact": "Confidentiality Compromise"}, "threat_synthesis": {"affected_systems": "The vendor lyc8503\u2019s UptimeFlare application is affected. All deployments that were built from the codebase before the patch commit 377a596\u2014including any distributed versions that did not separate workerConfig from client\u2011visible modules\u2014must be considered vulnerable.", "description_and_impact": "A serverless uptime monitoring solution exported sensitive worker configuration, including credentials, from the same module that also exported safe page configuration. The worker configuration was imported directly in a client\u2011side component, causing the entire object to be bundled and served to all visitors. This flaw exposed confidential data to anyone who could load the page, resulting in a direct privacy breach.", "risk_and_exploitability": "The CVSS score of 7.5 signals a high severity assessment. The EPSS score of less than 1% indicates a very low probability that this vulnerability will be actively exploited at this time, and the vulnerability is not currently tracked by the CISA KEV catalog. The most likely attack vector is simple: a malicious or curious user loads the application and inspects the JavaScript bundle to recover exposed credentials, with no authentication or privileged access required. The harm is limited to confidentiality compromise; it does not currently allow further actions such as code execution or denial of service."}}}}, "created": "2026-03-09T10:05:16.579879+00:00", "updated": "2026-04-18T10:00:10.311515+00:00", "vendors": ["lyc8503", "lyc8503$PRODUCT$uptimeflare"]}