CVE-2026-28787 in oneuptime
Summary
by MITRE • 03/06/2026
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification. This violates the WebAuthn specification (W3C Web Authentication Level 2, §13.4.3) and allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, completely bypassing the second-factor authentication. No known patches are available.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/11/2026
The vulnerability identified as CVE-2026-28787 affects OneUptime version 10.0.11 and earlier implementations, specifically targeting the WebAuthn authentication mechanism. This authentication protocol is designed to provide strong second-factor authentication using cryptographic keys instead of traditional passwords. The flaw stems from improper implementation of the WebAuthn specification where the server fails to maintain the challenge value during the authentication process, creating a critical security gap that undermines the entire purpose of multi-factor authentication. According to the W3C Web Authentication Level 2 specification, section 13.4.3, the server must securely store the challenge value and verify it during assertion verification to prevent replay attacks. This implementation error fundamentally compromises the security model that WebAuthn was designed to enforce.
The technical flaw manifests when the WebAuthn authentication flow is executed, as the challenge value generated by the server is sent to the client and then returned in the assertion request body during verification. This approach violates the established security principle that challenge values must be maintained server-side to ensure freshness and prevent replay attacks. The server-side storage of challenges is a critical component of the WebAuthn protocol that prevents attackers from reusing valid assertions across multiple authentication attempts. When this mechanism fails, an attacker who gains access to a valid WebAuthn assertion through various attack vectors can reuse that assertion indefinitely without re-authentication, effectively bypassing the second-factor authentication mechanism entirely.
The operational impact of this vulnerability is severe and far-reaching, as it completely undermines the security posture of systems relying on OneUptime's WebAuthn implementation. An attacker who successfully obtains a valid assertion through cross-site scripting attacks, man-in-the-middle techniques, or exposure of log files can perpetually access protected systems without additional authentication requirements. This creates a persistent backdoor that remains active until the assertion expires naturally or the user's credentials are changed, which may not occur for extended periods. The vulnerability affects all authentication scenarios where WebAuthn assertions are used, making it particularly dangerous in environments where privileged access is granted through this mechanism. The lack of available patches compounds the risk, as organizations cannot remediate the issue through standard update procedures, forcing them to implement workarounds or alternative authentication mechanisms.
Organizations utilizing OneUptime with affected versions should immediately implement compensating controls to mitigate the risk. The most effective immediate mitigation involves disabling WebAuthn authentication until a patched version is available, or implementing additional verification mechanisms such as time-based one-time passwords or hardware security keys that provide stronger authentication guarantees. Security teams should also conduct comprehensive monitoring for unauthorized authentication attempts and implement strict access controls to limit the damage potential of compromised assertions. The vulnerability aligns with CWE-310, which addresses cryptographic weaknesses, and maps to ATT&CK technique T1550.001 for use of valid credentials, as attackers can leverage the compromised assertions to maintain persistent access. Additionally, this represents a failure in the authentication framework that could be classified under ATT&CK technique T1078.004 for valid accounts, where compromised authentication tokens allow continued system access without detection.