top of page
perceptive_background_267k.jpg

OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the…

Published:

5 maart 2026 om 23:00:00

Alert date:

6 maart 2026 om 06:03:40

Source:

nvd.nist.gov

Click to open the original link from this advisory

Identity & Access, Web Technologies

OneUptime monitoring solution version 10.0.11 and prior contains a critical WebAuthn authentication implementation flaw. The system does not store authentication challenges server-side, instead returning them to the client and accepting them back during verification. This violates W3C WebAuthn specifications and allows attackers who obtain valid WebAuthn assertions through XSS, MitM, or log exposure to replay them indefinitely. The vulnerability completely bypasses second-factor authentication with no known patches available.

Technical details

Mitigation steps:

Affected products:

OneUptime

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-28787
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gjjc-pcwp-c74m

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page