Description
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification. This violates the WebAuthn specification (W3C Web Authentication Level 2, §13.4.3) and allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, completely bypassing the second-factor authentication. No known patches are available.
Published: 2026-03-06
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Second‑factor authentication bypass via credential replay
Action: Monitor
AI Analysis

Impact

The vulnerability lies in OneUptime's implementation of WebAuthn, which does not store the server‑generated challenge during the authentication dance. Instead, it echoes the challenge back to the client and validates the client’s signed response against that echoed challenge. This deviation from the WebAuthn specification allows an adversary who has captured a valid WebAuthn assertion to replay it any number of times, effectively bypassing the second‑factor protection and gaining unauthorized access. The weakness is a classic authentication bypass (CWE‑287).

Affected Systems

Affected products are OneUptime versions 10.0.11 and earlier. The operation is limited to the OneUptime monitoring and management platform; any deployment of these versions is susceptible.

Risk and Exploitability

The CVSS score is 8.2, indicating a high‑severity flaw, while the EPSS score of less than 1% suggests exploitation is currently unlikely, and it is not listed in the CISA KEV catalog. The likely attack path requires an attacker to obtain a valid WebAuthn assertion—through cross‑site scripting, man‑in‑the‑middle interception, or log exposure—and then replay that assertion to the server, which will accept it because it trusts the client‑supplied challenge. No patch is yet available, but the flaw is fully exploitable once the assertion is captured.

Generated by OpenCVE AI on April 17, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a vendor‑issued patch or update to a version that implements server‑side challenge storage when released.
  • Implement network‑level controls or post‑authentication revocation to invalidate captured WebAuthn assertions immediately after first use, thereby preventing replay.
  • Harden the web application against XSS and other attack vectors that could expose valid assertions, for example by enforcing strict Content Security Policies and input sanitization.

Generated by OpenCVE AI on April 17, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gjjc-pcwp-c74m OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay
History

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Fri, 06 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification. This violates the WebAuthn specification (W3C Web Authentication Level 2, §13.4.3) and allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, completely bypassing the second-factor authentication. No known patches are available.
Title OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay
Weaknesses CWE-287
CWE-294
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T19:46:22.314Z

Reserved: 2026-03-03T14:25:19.244Z

Link: CVE-2026-28787

cve-icon Vulnrichment

Updated: 2026-03-09T19:46:18.758Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:39.980

Modified: 2026-03-10T19:51:16.083

Link: CVE-2026-28787

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses