CVE-2026-28787 Overview
CVE-2026-28787 is a critical authentication bypass vulnerability affecting OneUptime, an open-source solution for monitoring and managing online services. The vulnerability exists in the WebAuthn authentication implementation where the challenge is not stored server-side but instead returned to the client and accepted back during verification. This implementation flaw violates the W3C Web Authentication Level 2 specification (§13.4.3) and enables attackers to replay valid WebAuthn assertions indefinitely, completely bypassing second-factor authentication.
Critical Impact
Attackers who obtain a valid WebAuthn assertion through XSS, Man-in-the-Middle attacks, or log exposure can replay it indefinitely to bypass multi-factor authentication, gaining unauthorized access to protected accounts.
Affected Products
- Hackerbay OneUptime version 10.0.11 and prior
- All OneUptime deployments using WebAuthn authentication
Discovery Timeline
- 2026-03-06 - CVE-2026-28787 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-28787
Vulnerability Analysis
This vulnerability represents a fundamental implementation flaw in the WebAuthn authentication flow. According to the W3C Web Authentication specification, the server must generate and store a cryptographically random challenge during the authentication ceremony. This challenge must be verified server-side to ensure that each authentication attempt is unique and cannot be replayed.
In the affected versions of OneUptime, the authentication system fails to persist the challenge on the server. Instead, the challenge is sent to the client and then accepted back from the client's request body during the verification phase. This creates a critical security gap where the server has no way to distinguish between a fresh authentication attempt and a replayed one.
The vulnerability is classified under CWE-287 (Improper Authentication), as it allows attackers to circumvent the authentication mechanism entirely once they obtain a valid assertion.
Root Cause
The root cause of this vulnerability is the improper implementation of the WebAuthn authentication protocol. The server-side code fails to maintain session state for the authentication challenge, instead trusting client-provided data for challenge verification. This violates the fundamental security principle that authentication challenges must be generated, stored, and validated exclusively on the server side to prevent replay attacks.
Attack Vector
The attack can be executed remotely over the network. An attacker must first obtain a valid WebAuthn assertion through one of several vectors:
- Cross-Site Scripting (XSS): Injecting malicious scripts to capture WebAuthn responses during legitimate authentication
- Man-in-the-Middle (MitM): Intercepting network traffic between the client and server to capture authentication data
- Log Exposure: Accessing server logs or debugging output that may contain authentication payloads
Once a valid assertion is captured, the attacker can replay it indefinitely since the server accepts the challenge from the request body rather than comparing it against a server-stored value. This completely negates the replay protection that WebAuthn is designed to provide.
The vulnerability requires high attack complexity as the attacker must first obtain a valid assertion through secondary means, but once obtained, exploitation is trivial and repeatable.
Detection Methods for CVE-2026-28787
Indicators of Compromise
- Multiple successful WebAuthn authentications from different IP addresses using identical assertion data
- Authentication attempts with challenges that were not generated in active server sessions
- Unusual patterns of successful 2FA completions without corresponding challenge generation events
- Log entries showing WebAuthn verification with client-provided challenges
Detection Strategies
- Implement logging to track challenge generation and consumption, flagging any challenge reuse
- Monitor for authentication patterns where the same user authenticates from geographically disparate locations in short timeframes
- Deploy network-level monitoring to detect potential MitM attacks targeting authentication endpoints
- Review application logs for signs of XSS exploitation that could lead to credential capture
Monitoring Recommendations
- Enable detailed audit logging for all WebAuthn authentication events including challenge generation
- Set up alerts for multiple successful authentications from the same user with identical assertion signatures
- Monitor for abnormal authentication success rates that could indicate automated replay attacks
- Implement real-time correlation of authentication events across security monitoring platforms
How to Mitigate CVE-2026-28787
Immediate Actions Required
- Evaluate the risk exposure of your OneUptime deployment and consider temporarily disabling WebAuthn authentication
- Implement alternative multi-factor authentication mechanisms until a patch is available
- Review access logs for signs of potential exploitation or suspicious authentication patterns
- Consider deploying additional network security controls to reduce XSS and MitM attack surface
Patch Information
No official patches are currently available for this vulnerability. According to the GitHub Security Advisory, users should monitor the OneUptime repository for security updates. Organizations using OneUptime version 10.0.11 or prior should implement workarounds until a fix is released.
Workarounds
- Disable WebAuthn-based authentication and switch to alternative 2FA methods such as TOTP or SMS verification
- Implement additional session validation controls at the application or network layer
- Deploy Web Application Firewall (WAF) rules to detect and block potential XSS attacks targeting authentication flows
- Restrict network access to the OneUptime application to trusted IP ranges where feasible
- Consider implementing additional authentication logging and anomaly detection to identify potential replay attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
