CVE-2026-29779 HIGH

CVE-2026-29779: UptimeFlare: Montior config / Credentials in `workerConfig` exposed in client-side JavaScript bundle

Vendor Lyc8503

Product UptimeFlare

Weakness CWE-200 · Info exposure

Published March 7, 2026

Last update March 9, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains sensitive data) from the same module. Due to pages/incidents.tsx importing and using workerConfig directly inside client-side component code, the entire workerConfig object was included in the client-side JavaScript bundle served to all visitors. This issue has been patched via commit 377a596.

Key dates

Disclosure timeline

March 7, 2026 CVE published

March 9, 2026 Record updated

Identifiers

CVE CVE-2026-29779

CWE CWE-200

CVSS 7.5 / HIGH

Affected versions

Vendor Lyc8503

Product UptimeFlare

Affected < 377a5963c66ba9a798abebfe8d80378b053435e9