Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42.
Published: 2026-04-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass via Unsigned SAML Assertion
Action: Immediate Patch
AI Analysis

Impact

OneUptime’s SAML SSO implementation separates signature verification from identity extraction. The code verifies only the first <Signature> element in the XML, while the user’s email is always taken from the first assertion. An attacker can prepend an unsigned assertion containing any chosen identity before a properly signed assertion. The signature check passes on the signed part, but the application still uses the unsigned preceding assertion to determine the authenticated user, allowing login as an arbitrary user without credentials.

Affected Systems

All releases of OneUptime prior to version 10.0.42 are affected. The issue is resolved in the 10.0.42 release and later, with no other vendors or products listed as impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is under 1%, suggesting a lower likelihood of observed exploitation at present. The vulnerability is not yet listed in the CISA KEV catalog. Attackers can exploit this flaw by sending a crafted SAML assertion to the SSO endpoint; any user with the injected identity could gain full application access, potentially leading to data exposure or configuration changes. Exploitation requires only the ability to create and transmit a valid SAML assertion to the target system.

Generated by OpenCVE AI on April 13, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OneUptime patch that upgrades to version 10.0.42 or later.
  • If an upgrade is not immediately possible, restrict SAML identity providers to trusted sources and consider disabling SAML SSO until the patch is applied.

Generated by OpenCVE AI on April 13, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Thu, 02 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42.
Title OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T20:20:13.291Z

Reserved: 2026-03-30T20:52:53.284Z

Link: CVE-2026-34840

cve-icon Vulnrichment

Updated: 2026-04-02T20:20:08.122Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T20:16:28.357

Modified: 2026-04-13T18:46:00.960

Link: CVE-2026-34840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:54Z

Weaknesses