CVE-2026-33130 affects Uptime Kuma, an open-source self-hosted monitoring tool, specifically versions from 1.23.0 up to but not including 2.2.1. The vulnerability is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement) and CWE-1336. It arises from an incomplete fix addressing Server-side Template Injection (SSTI) in the Liquid template engine used by Uptime Kuma. The initial mitigation introduced three configuration options (root, relativeReference, dynamicPartials) to restrict file inclusion paths, but these only effectively block quoted paths. When an unquoted absolute path is used, the require.resolve() fallback in liquid.node.js does not enforce any containment checks, allowing the resolution of arbitrary absolute file paths such as /etc/passwd. This behavior enables attackers with at least low privileges to read any file on the server that the application process can access, potentially exposing sensitive information. The vulnerability does not require user interaction and has a CVSS v3.1 score of 6.5, reflecting medium severity with high confidentiality impact but no integrity or availability impact. No known exploits are reported in the wild as of the publication date (March 20, 2026). The issue was fixed in Uptime Kuma version 2.2.1 by properly containing the require.resolve() fallback to prevent unquoted absolute path resolution.

The primary impact of this vulnerability is unauthorized disclosure of sensitive files on the server hosting Uptime Kuma. Attackers exploiting this flaw can read arbitrary files, potentially including configuration files, credentials, private keys, or other sensitive data, leading to significant confidentiality breaches. Since Uptime Kuma is often deployed in monitoring environments, exposure of internal infrastructure details or credentials could facilitate further attacks or lateral movement within networks. The vulnerability does not directly affect system integrity or availability but can serve as a stepping stone for more severe attacks. Organizations using affected versions are at risk of data leakage, which could result in compliance violations, reputational damage, and operational risks. The ease of exploitation (network accessible, low privileges, no user interaction) increases the threat level, especially in environments where Uptime Kuma is exposed to untrusted networks or users.

1. Immediate upgrade to Uptime Kuma version 2.2.1 or later, where the vulnerability is fully patched. 2. If upgrading is not immediately possible, restrict access to the Uptime Kuma instance using network-level controls such as firewalls or VPNs to limit exposure to trusted users only. 3. Review and harden file system permissions to minimize the application's ability to read sensitive files unnecessarily. 4. Monitor logs for suspicious requests attempting to exploit file inclusion or unusual file access patterns. 5. Consider implementing Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit file inclusion vulnerabilities. 6. Conduct security audits of custom templates or plugins that might use LiquidJS to ensure they do not introduce similar path resolution issues. 7. Educate developers and administrators about secure template handling and the risks of improper file inclusion.