CVE-2026-33143
Published: 20 March 2026
Summary
CVE-2026-33143 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-9 (Service Identification and Authentication) and SC-8 (Transmission Confidentiality and Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires integrity verification mechanisms such as HMAC signatures to detect and prevent processing of forged WhatsApp webhook payloads.
Implements cryptographic mechanisms to protect the integrity of incoming webhook transmissions against unauthorized modification.
Mandates authentication of external services like WhatsApp using signature verification before processing webhook requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of HMAC signature verification on public /notification/whatsapp/webhook endpoint directly enables unauthenticated exploitation of a public-facing application (T1190) and forged payload processing that manipulates stored notification status records/audit trails (T1565.001).
NVD Description
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook…
more
payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34.
Deeper analysisAI
CVE-2026-33143 affects OneUptime, an open-source solution for monitoring and managing online services, specifically versions prior to 10.0.34. The vulnerability resides in the WhatsApp POST webhook handler at the endpoint /notification/whatsapp/webhook, which processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature. This flaw, classified under CWE-345 (Insufficient Verification of Data Authenticity) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), enables improper handling of webhook payloads, unlike the properly verified Slack webhook implementation in the same codebase.
Any unauthenticated attacker with network access can exploit this vulnerability by sending forged webhook payloads to the affected endpoint. Successful exploitation allows manipulation of notification delivery status records, suppression of alerts, and corruption of audit trails, potentially disrupting incident response and monitoring integrity without requiring privileges, user interaction, or impacting confidentiality or availability directly.
The GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-g5ph-f57v-mwjc confirms that the issue has been patched in OneUptime version 10.0.34 by implementing proper signature verification for WhatsApp webhooks, urging users to upgrade immediately to mitigate the risk.
Details
- CWE(s)