{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-34840/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-34840"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-34840","saml","authentication-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOneUptime, an open-source monitoring and observability platform, is vulnerable to an authentication bypass in versions prior to 10.0.42. The vulnerability, identified as CVE-2026-34840, resides in the SAML Single Sign-On (SSO) implementation within the \u003ccode\u003eApp/FeatureSet/Identity/Utils/SSO.ts\u003c/code\u003e file. The flawed logic involves a decoupling of signature verification and identity extraction processes. Specifically, the \u003ccode\u003eisSignatureValid()\u003c/code\u003e function checks the signature of the first \u003ccode\u003e\u0026lt;Signature\u0026gt;\u003c/code\u003e element, while the \u003ccode\u003egetEmail()\u003c/code\u003e function extracts the email address from the first assertion element \u003ccode\u003eassertion[0]\u003c/code\u003e. This design allows an attacker to prepend a malicious, unsigned SAML assertion containing an arbitrary identity before a legitimate, signed assertion. This bypasses authentication, potentially granting unauthorized access to sensitive monitoring data and platform functionalities. The vulnerability has been patched in version 10.0.42.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious SAML response containing an unsigned assertion with a forged identity (e.g., a privileged user\u0026rsquo;s email).\u003c/li\u003e\n\u003cli\u003eThe attacker prepends this malicious assertion to a valid, signed SAML assertion generated for a low-privilege account or a newly created account.\u003c/li\u003e\n\u003cli\u003eThe combined SAML response is sent to the OneUptime platform for authentication.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisSignatureValid()\u003c/code\u003e function verifies the signature of the second assertion (the originally signed, valid one), passing the signature check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetEmail()\u003c/code\u003e function extracts the email address from the first assertion (the malicious, unsigned one), effectively impersonating the forged identity.\u003c/li\u003e\n\u003cli\u003eOneUptime grants access based on the forged identity extracted from the malicious assertion.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the OneUptime platform with the privileges of the impersonated user.\u003c/li\u003e\n\u003cli\u003eThe attacker can then view monitoring data, modify configurations, or perform other actions allowed to the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34840 allows an attacker to bypass authentication and impersonate any user on the OneUptime platform. This could lead to unauthorized access to sensitive monitoring data, modification of system configurations, and potentially complete compromise of the OneUptime instance. The vulnerability has a CVSS v3.1 base score of 8.1, indicating a high severity. Organizations using vulnerable OneUptime versions are at risk of significant data breaches and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade OneUptime instances to version 10.0.42 or later to patch CVE-2026-34840.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to inspect SAML responses for multiple assertions and reject requests containing more than one assertion to prevent the attack described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious SAML authentication requests and responses, focusing on unusual source IPs or deviations from normal authentication patterns related to the webserver log source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T20:16:28Z","date_published":"2026-04-02T20:16:28Z","id":"/briefs/2024-01-oneuptime-auth-bypass/","summary":"OneUptime versions prior to 10.0.42 are vulnerable to an authentication bypass due to improper SAML signature validation, allowing attackers to impersonate users by prepending unsigned assertions.","title":"OneUptime SAML SSO Authentication Bypass Vulnerability (CVE-2026-34840)","url":"https://feed.craftedsignal.io/briefs/2024-01-oneuptime-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-34840","version":"https://jsonfeed.org/version/1.1"}