CVE-2026-33130 is a vulnerability in the open-source monitoring tool Uptime Kuma, affecting versions from 1.23.0 up to but not including 2.2.1. The root cause lies in the LiquidJS template engine's file inclusion mechanism, which is used for server-side template rendering. The initial fix (GHSA-vffh-c9pq-4crh) implemented three mitigations—root, relativeReference, and dynamicPartials—to restrict file inclusion paths. However, these mitigations only block quoted paths, leaving unquoted absolute paths unchecked. Specifically, the require.resolve() fallback in liquid.node.js does not enforce any containment or path validation, allowing an attacker to specify unquoted absolute paths such as /etc/passwd. Because require.resolve() throws an error when paths are quoted, this was the only reason quoted paths were blocked, not due to intentional security controls. This flaw enables remote file inclusion (RFI), allowing an attacker with limited privileges to read arbitrary files on the server, potentially exposing sensitive information. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. The issue was resolved in Uptime Kuma version 2.2.1 by adding proper containment checks to the require.resolve() fallback, preventing unquoted absolute path resolution. There are no known exploits in the wild as of the publication date.

The primary impact of this vulnerability is unauthorized disclosure of sensitive server files, which can include configuration files, credentials, or other critical data. This exposure can facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation of other vulnerabilities. Since Uptime Kuma is often deployed in internal monitoring environments, attackers gaining access to sensitive files could disrupt monitoring operations or gain insights into the network infrastructure. The vulnerability requires some level of privileges (PR:L), so attackers must have limited access already, but no user interaction is needed. The confidentiality impact is high, while integrity and availability remain unaffected. Organizations using affected versions risk data leakage and potential compromise of internal systems if the vulnerability is exploited. Although no exploits are currently known in the wild, the ease of exploitation via network access and the critical nature of the data potentially exposed make this a significant risk.

1. Upgrade Uptime Kuma to version 2.2.1 or later, where the vulnerability is fully patched. 2. Review and restrict user privileges to minimize the risk of attackers having the required privileges to exploit this vulnerability. 3. Implement strict input validation and sanitization on any user-controllable inputs that influence template rendering or file inclusion paths. 4. Monitor logs for suspicious file access patterns, especially attempts to include absolute paths or access sensitive files like /etc/passwd. 5. Employ network segmentation and firewall rules to limit access to Uptime Kuma instances only to trusted users and systems. 6. Conduct regular security audits and penetration testing focusing on template injection and file inclusion vulnerabilities. 7. If upgrading immediately is not possible, consider temporarily disabling or restricting features that allow template customization or file inclusion. 8. Educate developers and administrators about secure template engine usage and the risks of improper file inclusion.