CVE-2026-33143

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.34

Description OneUptime, a service monitoring solution, had a critical issue in its WhatsApp POST webhook handler (/notification/whatsapp/webhook). This handler did not verify the Meta/WhatsApp X-Hub-Signature-256 HMAC signature for incoming status update events. This allowed unauthenticated attackers to forge webhook payloads, potentially manipulating notification delivery status records, suppressing alerts, and corrupting audit trails. The Slack webhook handler within the same codebase correctly implements signature verification. An attacker could exploit this by sending crafted POST requests to the /notification/whatsapp/webhook endpoint without providing a valid signature. This could lead to false delivery status reports, suppression of critical alerts, and manipulation of audit logs. The vulnerable code resides in App/FeatureSet/Notification/API/WhatsApp.ts lines 372-430.

Recommendations Versions prior to 10.0.34 should be updated to version 10.0.34 or later to address the missing signature verification in the WhatsApp POST webhook handler.