CVE-2026-28787

Name of the Vulnerable Software and Affected Versions OneUptime versions 10.0.11 and prior

Description The WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification, violating the WebAuthn specification. This allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, bypassing the second-factor authentication. The server generates a challenge using the generateAuthenticationOptions() function in Common/Server/Services/UserWebAuthnService.ts. The server reads the expectedChallenge directly from the request body at /api/identity/authentication/login. The verifyAuthentication() method then passes this client-provided challenge to @simplewebauthn/server’s verifyAuthenticationResponse(). This allows an attacker to replay a captured assertion by sending a request containing the victim’s email, password, and the captured challenge and credential.

Recommendations Versions prior to 10.0.11 should be updated when a fix is available. As a temporary workaround, consider disabling WebAuthn authentication until a patch is available.