CVE-2026-34840
Published: 02 April 2026
Summary
CVE-2026-34840 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Hackerbay Oneuptime. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires rigorous input validation of SAML XML responses to reject malformed structures with prepended unsigned assertions before identity extraction.
Mandates timely flaw remediation, directly addressing the SAML signature verification decoupling via patching to version 10.0.42.
Enforces robust organizational user identification and authentication mechanisms to counter SAML-based authentication bypass vulnerabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass flaw in the SAML SSO endpoint of a public-facing web application, directly enabling exploitation of public-facing applications to gain unauthorized access as arbitrary identities.
NVD Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads…
more
from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42.
Deeper analysisAI
CVE-2026-34840 is a high-severity vulnerability (CVSS 8.1) in the SAML SSO implementation of OneUptime, an open-source monitoring and observability platform. Affecting versions prior to 10.0.42, the flaw stems from decoupled signature verification and identity extraction in the file App/FeatureSet/Identity/Utils/SSO.ts. The isSignatureValid() function checks the first <Signature> element in the XML DOM using the xml-crypto library, while getEmail() extracts identity from the first assertion[0] via xml2js, regardless of signature position. This allows an attacker to prepend an unsigned assertion with an arbitrary identity before a valid signed assertion, enabling authentication bypass (CWE-347).
The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and unchanged scope (S:U), resulting in high confidentiality and integrity impacts (C:H/I:H) but no availability disruption (A:N). A low-privileged user or attacker able to submit a crafted SAML response to OneUptime's SSO endpoint can prepend a malicious unsigned assertion containing a fabricated identity (e.g., admin email), tricking the system into authenticating them as that identity while the subsequent signed assertion passes verification.
Mitigation is available via upgrade to OneUptime version 10.0.42, where the issue was patched. Relevant resources include the security advisory at GHSA-5w5c-766x-265g, the release notes for v10.0.42, and the fixing commit 2fd7ede52f60444710628d6c1b34dee2ef9e57d1 on the project's GitHub repository.
Details
- CWE(s)