CVE-2026-28787
Published: 06 March 2026
Summary
CVE-2026-28787 is a high-severity Improper Authentication (CWE-287) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms to protect communications session authenticity against replay attacks, directly countering the indefinite replay of valid WebAuthn assertions due to absent server-side challenge storage.
SI-2 mandates identification, reporting, and timely remediation of system flaws, directly addressing the improper WebAuthn implementation in CVE-2026-28787 to prevent exploitation.
IA-5 requires proper management and protection of authenticators, including ensuring compliant handling and server-side verification of WebAuthn challenges to mitigate replay risks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes a flaw in a public-facing web application's WebAuthn implementation that enables replay of captured assertions to bypass MFA and authenticate with valid accounts (T1190 for initial exploitation of the exposed service; T1078 for resulting unauthorized access).
NVD Description
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from…
more
the client request body during verification. This violates the WebAuthn specification (W3C Web Authentication Level 2, §13.4.3) and allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, completely bypassing the second-factor authentication. No known patches are available.
Deeper analysisAI
CVE-2026-28787 affects OneUptime, an open-source solution for monitoring and managing online services, specifically in versions 10.0.11 and prior. The vulnerability resides in the WebAuthn authentication implementation, which fails to store the authentication challenge on the server side. Instead, it returns the challenge to the client and accepts it back from the client request body during verification. This design violates the WebAuthn specification (W3C Web Authentication Level 2, §13.4.3) and enables replay attacks on valid WebAuthn assertions. The issue is associated with CWE-287 (Improper Authentication) and CWE-294 (Authentication Bypass by Capture-replay), with a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N).
An attacker with low privileges (PR:L) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and involves a scope change (S:C). Exploitation begins with obtaining a valid WebAuthn assertion through means such as cross-site scripting (XSS), man-in-the-middle (MitM) interception, or exposure via logs. The attacker can then replay this assertion indefinitely during authentication attempts, completely bypassing second-factor authentication without user interaction (UI:N). Successful exploitation grants high confidentiality and integrity impacts (C:H/I:H), potentially allowing unauthorized access to protected resources.
The GitHub Security Advisory (GHSA-gjjc-pcwp-c74m) details the issue but notes that no known patches are available for affected versions of OneUptime. Security practitioners should monitor for updates from the OneUptime project and consider alternative authentication mechanisms or network controls to mitigate replay risks in the interim.
Details
- CWE(s)