CVE-2026-34840 Overview
CVE-2026-34840 is an authentication bypass vulnerability in OneUptime, an open-source monitoring and observability platform. The vulnerability exists in the SAML SSO implementation where decoupled signature verification and identity extraction allow attackers to bypass authentication controls. Prior to version 10.0.42, the application's isSignatureValid() function verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. This architectural flaw enables an attacker to prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, effectively bypassing authentication.
Critical Impact
Attackers can bypass SAML SSO authentication by injecting unsigned assertions with arbitrary user identities, potentially gaining unauthorized access to monitoring and observability systems as any user.
Affected Products
- OneUptime versions prior to 10.0.42
- OneUptime SAML SSO implementations using App/FeatureSet/Identity/Utils/SSO.ts
Discovery Timeline
- April 2, 2026 - CVE-2026-34840 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34840
Vulnerability Analysis
This vulnerability falls under CWE-347 (Improper Verification of Cryptographic Signature), a critical weakness in SAML implementations. The core issue stems from a design flaw where the signature verification logic and identity extraction logic operate on different elements within the SAML response XML document.
In vulnerable versions, the isSignatureValid() function validates the first <Signature> element found in the XML DOM using the xml-crypto library. However, the getEmail() function independently parses the XML using xml2js and extracts user identity from assertion[0]. This decoupling creates a critical security gap.
An attacker with the ability to intercept and modify SAML responses can prepend an unsigned assertion containing a forged identity (such as an administrator's email address) before a legitimately signed assertion. When processed, the signature verification passes because it validates the legitimate second assertion, while the identity extraction reads from the malicious first assertion.
Root Cause
The root cause is the architectural separation between signature verification and identity extraction in the SAML response handling logic. The application uses two different XML parsing approaches (xml-crypto for signature validation and xml2js for data extraction) without ensuring they operate on the same validated assertion element. This allows attackers to exploit the mismatch by inserting additional assertion elements that pass validation but provide different identity data.
Attack Vector
The attack requires network access and authenticated positioning as a low-privileged user to intercept SAML responses. The attacker modifies the SAML response by prepending an unsigned assertion with a target identity (e.g., an administrator's email). When the OneUptime server processes this modified response, it validates the signature on the legitimate assertion but extracts user identity from the injected unsigned assertion, granting the attacker access as the target user.
// Security patch in App/FeatureSet/Identity/Utils/SSO.ts
// Source: https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1
throw new BadRequestException("SAML Assertion not found");
}
+ if (samlAssertion.length !== 1) {
+ throw new BadRequestException(
+ "Expected exactly one Assertion in SAML Response",
+ );
+ }
+
const samlSubject: JSONArray =
((samlAssertion[0] as JSONObject)["saml2:Subject"] as JSONArray) ||
((samlAssertion[0] as JSONObject)["saml:Subject"] as JSONArray) ||
Source: GitHub Commit Details
Detection Methods for CVE-2026-34840
Indicators of Compromise
- SAML responses containing multiple <Assertion> or <saml:Assertion> elements
- Authentication logs showing sudden privilege escalation or access from unexpected user accounts
- SAML response payloads with abnormally large sizes or unusual XML structure
- Authentication events from users who haven't initiated SSO login flows
Detection Strategies
- Implement XML validation rules to detect SAML responses with multiple assertion elements
- Deploy application-layer firewalls with SAML-specific inspection capabilities to identify malformed responses
- Monitor authentication logs for anomalous patterns such as users authenticating from unexpected locations or accessing resources outside their normal scope
- Establish baseline behavior for SAML authentications and alert on deviations
Monitoring Recommendations
- Enable detailed logging for all SAML authentication events including full response payloads where feasible
- Configure alerting for authentication failures followed by unexpected successful logins
- Monitor for lateral movement patterns following SAML authentications
- Implement session monitoring to detect account takeover indicators post-authentication
How to Mitigate CVE-2026-34840
Immediate Actions Required
- Upgrade OneUptime to version 10.0.42 or later immediately
- Review authentication logs for signs of exploitation prior to patching
- Audit user access patterns to identify potential unauthorized access
- Consider temporarily disabling SAML SSO and using alternative authentication methods until patched
Patch Information
The vulnerability has been addressed in OneUptime version 10.0.42. The fix adds validation to ensure exactly one SAML assertion exists in the response before processing. If multiple assertions are detected, the application now throws a BadRequestException with the message "Expected exactly one Assertion in SAML Response".
Patch details are available at:
Workarounds
- Disable SAML SSO authentication temporarily and use local authentication mechanisms
- Implement a Web Application Firewall (WAF) rule to reject SAML responses containing multiple assertion elements
- Add network-level controls to restrict SAML response sources to trusted Identity Providers only
- Consider implementing additional session validation mechanisms independent of SAML assertions
# Example: Upgrade OneUptime to patched version
git fetch --tags
git checkout 10.0.42
npm install
npm run build
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
