CVE-2026-28787
📋 TL;DR
This vulnerability in OneUptime allows attackers to bypass two-factor authentication by replaying stolen WebAuthn assertions. The flaw occurs because the server doesn't store authentication challenges, violating WebAuthn specifications. All OneUptime users running vulnerable versions are affected.
💻 Affected Systems
- OneUptime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover for all users with WebAuthn enabled, allowing attackers to access monitoring dashboards, modify configurations, and potentially compromise monitored services.
Likely Case
Targeted attacks against administrators or privileged users to gain unauthorized access to OneUptime management interfaces.
If Mitigated
Limited impact if WebAuthn is disabled or if additional authentication layers are implemented.
🎯 Exploit Status
Requires obtaining a valid WebAuthn assertion first (via XSS, MitM, or log exposure), then replaying it.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gjjc-pcwp-c74m
Restart Required: No
Instructions:
No official patch available. Monitor vendor advisory for updates.
🔧 Temporary Workarounds
Disable WebAuthn Authentication
allTemporarily disable WebAuthn two-factor authentication until a patch is available
Implement Additional Authentication Controls
allAdd IP whitelisting or rate limiting to authentication endpoints
🧯 If You Can't Patch
- Disable WebAuthn authentication entirely and use alternative 2FA methods
- Implement network segmentation to restrict access to OneUptime instances
🔍 How to Verify
Check if Vulnerable:
Check if running OneUptime version 10.0.11 or earlier with WebAuthn enabledCheck Version:
Check OneUptime dashboard or configuration files for version informationVerify Fix Applied:
Verify WebAuthn is disabled or monitor for vendor patch release📡 Detection & Monitoring
Log Indicators:
- Multiple successful WebAuthn authentications from same assertion
- Rapid authentication attempts with similar challenge values
Network Indicators:
- Repeated authentication requests with identical payloads
SIEM Query:
source="oneuptime" AND event="webauthn_authentication" | stats count by user, assertion_id