CVE-2026-28787

High CVSS: 8.2

OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification. This violates the WebAuthn specification (W3C Web Authentication Level 2, §13.4.3) and allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, completely bypassing the second-factor authentication. No known patches are available.

Vendor

Hackerbay

Product

Oneuptime

CWE

CWE-287

Yayın Tarihi

2026-03-06 05:16:39

Güncelleme

2026-03-10 19:51:16

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-287 Oneuptime HIGH Hackerbay 2026

Referanslar

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gjjc-pcwp-c74m

Benzer Kayıtlar

Critical

CVE-2026-34758

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to N…

Critical

CVE-2026-33396

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authentica…

High

CVE-2026-33142

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-3230…

High

CVE-2026-33143

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook…

Medium

CVE-2026-32598

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the…

Critical

CVE-2026-32306

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API acc…