CVE-2026-29779 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting UptimeFlare, a serverless uptime monitoring and status page solution powered by Cloudflare Workers. The root cause lies in the shared module uptime.config.ts, which exports two configuration objects: pageConfig (safe for client use) and workerConfig (intended for server-side use only, containing sensitive data). Due to a coding error, the client-side component pages/incidents.tsx imported workerConfig directly, causing the entire sensitive workerConfig object to be bundled into the client-side JavaScript served to all visitors. This results in unauthorized exposure of sensitive server configuration data to anyone accessing the status page. The vulnerability affects all versions prior to commit 377a5963c66ba9a798abebfe8d80378b053435e9, which patched the issue by separating client and server configurations properly. The CVSS 3.1 score of 7.5 reflects a high-severity issue with network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on confidentiality. While no integrity or availability impact is noted, the exposure of sensitive data can enable attackers to gain insights into server configurations, potentially facilitating further attacks or reconnaissance. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive server-side configuration data embedded in the workerConfig object. This exposure compromises confidentiality, potentially revealing secrets such as API keys, tokens, internal endpoints, or other sensitive parameters that could be leveraged by attackers for further exploitation. Although the vulnerability does not directly affect system integrity or availability, the leaked information could enable attackers to craft targeted attacks, escalate privileges, or bypass security controls. Organizations relying on UptimeFlare for uptime monitoring and status pages may inadvertently expose critical internal configuration details to any visitor, including malicious actors. This could lead to reputational damage, increased risk of intrusion, and potential data breaches. Since the vulnerability requires no authentication or user interaction, it is easily exploitable by anyone accessing the affected pages. The widespread use of Cloudflare Workers and serverless monitoring solutions increases the potential attack surface, especially for organizations that have not applied the patch.

To mitigate this vulnerability, organizations should immediately update UptimeFlare to a version including commit 377a596 or later, which properly segregates client and server configuration exports. Developers should audit their codebase to ensure that sensitive server-only configurations are never imported or bundled into client-side JavaScript. Implement strict code review processes focusing on the separation of client and server contexts, especially in serverless or edge computing environments. Employ automated static analysis tools to detect accidental exposure of sensitive data in frontend bundles. Additionally, rotate any potentially exposed secrets or credentials that may have been leaked prior to patching. Consider implementing runtime monitoring and alerting for unusual access patterns to status pages. Finally, educate development teams on secure coding practices related to configuration management and data exposure in serverless architectures.