OneUptime’s SAML SSO implementation separates the verification of XML signatures from the extraction of identity data. The signature validation routine checks only the first <Signature> element, while the code that retrieves the user’s email always reads the first assertion in the document. An attacker can exploit this mismatch by placing an unsigned SAML assertion containing a forged identity before a properly signed assertion. The system then accepts the forged identity because the signature check is satisfied by the later assertion, allowing the attacker to authenticate as any user without being detected. This flaw falls under the CWE-347 category of untrusted resource usage and results in an authentication bypass with the potential to gain unauthorized access to the application. The vulnerability is included in all versions before OneUptime 10.0.42.

The affected product is OneUptime, an open‑source monitoring and observability platform. All releases prior to version 10.0.42 are vulnerable; the issue was fixed in the 10.0.42 release. System administrators should verify that the application is running a patched version or otherwise mitigate the SSO configuration.

The CVSS score of 8.1 indicates a high severity vulnerability. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, leveraging the SAML SSO authorization flow that can be triggered over the network. An attacker who can inject a crafted SAML response into the authentication request can execute the bypass with minimal prerequisites, making the exploit relatively straightforward in environments where the SSO integration is exposed externally. Because the flaw permits elevation of privileges to any authenticated user, the impact on confidentiality, integrity, and availability is substantial, potentially allowing full control of the target system.