Description
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of notifications and suppression of alerts
Action: Patch Now
AI Analysis

Impact

The vulnerability resides in the WhatsApp webhook handler of OneUptime. Incoming POST requests to /notification/whatsapp/webhook are processed without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature. An attacker can forge payloads that change notification delivery status records, suppress alerts, and corrupt audit trails, compromising the integrity of the monitoring system.

Affected Systems

All OneUptime installations running versions before 10.0.34 are affected. The product is an open-source platform for monitoring and managing online services. The bug is limited to the WhatsApp webhook endpoint.

Risk and Exploitability

With a CVSS base score of 8.7, the flaw is classified as high severity. EPSS indicates a less than 1 % probability of exploitation, and the issue is not listed in the CISA KEV catalog. Exploitation requires only unauthenticated access to the exposed webhook URL over HTTP or HTTPS; no special credentials are needed. An attacker can modify status fields in the database, potentially erasing evidence of incidents and delaying detection of service problems.

Generated by OpenCVE AI on March 24, 2026 at 04:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OneUptime 10.0.34 or newer, where signature verification is implemented.
  • If an upgrade cannot be performed immediately, restrict the /notification/whatsapp/webhook endpoint to trusted IP ranges or internal networks using firewalls or reverse proxies.
  • After upgrading or restricting the endpoint, confirm that signature verification is active by sending a test webhook with an invalid signature and verifying that the request is rejected.
  • Continuously monitor audit logs for unexpected changes to notification status fields and investigate any anomalies promptly.

Generated by OpenCVE AI on March 24, 2026 at 04:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g5ph-f57v-mwjc OneUptime WhatsApp Webhook Missing Signature Verification
History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Fri, 20 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34.
Title OneUptime: WhatsApp Webhook Missing Signature Verification
Weaknesses CWE-345
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T02:01:35.639Z

Reserved: 2026-03-17T20:35:49.929Z

Link: CVE-2026-33143

cve-icon Vulnrichment

Updated: 2026-03-24T02:01:31.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T21:17:14.933

Modified: 2026-03-23T20:48:27.347

Link: CVE-2026-33143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:44Z

Weaknesses