CVE-2026-29779: UptimeFlare

Vendor-confirmed - CVE-2026-29779 is a high information disclosure in UptimeFlare, a Cloudflare Worker-based monitoring solution, that leaks sensitive server configuration data-including API keys and internal paths-to every website visitor. Update immediately to commit 377a596 and rotate all secrets.

Overview

A significant information disclosure vulnerability, identified as CVE-2026-29779, has been discovered in UptimeFlare, a serverless monitoring solution built on Cloudflare Workers. This flaw could allow unauthorized parties to access sensitive configuration data intended only for server-side execution.

Vulnerability Explained

In simple terms, UptimeFlare’s code was structured in a way that accidentally bundled sensitive server configuration data with the public, client-side web page code. Specifically, a file meant for internal server use (workerConfig), containing potentially sensitive operational details, was incorrectly imported and processed by code that runs in a visitor’s web browser. This caused the confidential workerConfig object to be included in the JavaScript files downloaded by every website visitor, exposing any secrets or internal paths it contained.

Potential Impact

The primary risk is the exposure of sensitive configuration details. Depending on what was stored in the workerConfig object, this could include:

• Internal API keys or tokens for integrated services.
• Database connection strings or internal network paths.
• Other environment-specific secrets used by the Worker backend. Attackers could leverage this exposed information to further compromise the monitoring system, attack connected backend services, or gain unauthorized access to related infrastructure. For context on how exposed data can be exploited, recent incidents are detailed in our breach reports.

Remediation and Mitigation

This issue has been addressed by the maintainers. Immediate action is required for all users.

Action Required:

1. Update Immediately: Ensure your UptimeFlare deployment uses code from commit 377a596 or later. This patch properly separates client and server configuration, preventing the sensitive data from being bundled for client delivery.
2. Rotate Secrets: As a precaution, proactively rotate any API keys, tokens, or credentials that may have been defined within the workerConfig object, even if you see no evidence of misuse. Treat them as potentially compromised.
3. Verify Deployment: After updating, audit your publicly served JavaScript bundles to confirm that sensitive workerConfig properties are no longer present.

Users should regularly update their dependencies and review their deployment build processes to prevent similar client-side leakage of server secrets. For the latest updates on such vulnerabilities, follow our security news section.