WebAuthn Authentication Flaw in OneUptime Affects User Security
CVE-2026-28787

8.2HIGH

Key Information:

Vendor: Oneuptime
Status: Oneuptime
Vendor: CVE Published:; 6 March 2026

What is CVE-2026-28787?

OneUptime, a service for monitoring and managing online applications, has a significant vulnerability in its WebAuthn authentication mechanism found in version 10.0.11 and earlier. The flaw stems from the improper handling of the challenge parameter, which is sent to the client rather than being securely stored on the server. This design oversight contradicts the specifications set forth by the WebAuthn W3C standard. Consequently, if an attacker gains access to a legitimate WebAuthn assertion—potentially through Cross-Site Scripting (XSS), Man-in-the-Middle (MitM) attacks, or log exposure—they can replay this assertion repeatedly, effectively circumventing the intended second-factor authentication process. This raises serious concerns about user security, and as of now, no patches are available to mitigate this issue.

Affected Version(s)

oneuptime <= 10.0.11

References

https://github.com/OneUptime/oneuptime/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-28787 Data

JSON

Oneuptime

What is CVE-2026-28787?

Affected Version(s)

References

CVSS V3.1

Timeline