Vulnerability Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hackerbay | Oneuptime | < 10.0.42 |
Related Weaknesses (CWE)
References
- https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2efPatch
- https://github.com/OneUptime/oneuptime/releases/tag/10.0.42ProductRelease Notes
- https://github.com/OneUptime/oneuptime/security/advisories/GHSA-5w5c-766x-265gExploitMitigationVendor Advisory
FAQ
What is CVE-2026-34840?
CVE-2026-34840 is a vulnerability with a CVSS score of 8.1 (HIGH). OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verifica...
How severe is CVE-2026-34840?
CVE-2026-34840 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34840?
Check the references section above for vendor advisories and patch information. Affected products include: Hackerbay Oneuptime.