{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34840", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.284Z", "datePublished": "2026-04-02T18:52:48.274Z", "dateUpdated": "2026-04-02T20:20:13.291Z"}, "containers": {"cna": {"title": "OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-5w5c-766x-265g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-5w5c-766x-265g"}, {"name": "https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1", "tags": ["x_refsource_MISC"], "url": "https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1"}, {"name": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "tags": ["x_refsource_MISC"], "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42"}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"version": "< 10.0.42", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:52:48.274Z"}, "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42."}], "source": {"advisory": "GHSA-5w5c-766x-265g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T20:20:03.529115Z", "id": "CVE-2026-34840", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T20:20:13.291Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34840", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T20:20:03.529115Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T20:20:08.122Z"}}], "cna": {"title": "OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification", "source": {"advisory": "GHSA-5w5c-766x-265g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OneUptime", "product": "oneuptime", "versions": [{"status": "affected", "version": "< 10.0.42"}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-5w5c-766x-265g", "name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-5w5c-766x-265g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1", "name": "https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "name": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:52:48.274Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34840", "state": "PUBLISHED", "dateUpdated": "2026-04-02T20:20:13.291Z", "dateReserved": "2026-03-30T20:52:53.284Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:52:48.274Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42."}], "id": "CVE-2026-34840", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T20:16:28.357", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1"}, {"source": "security-advisories@github.com", "url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42"}, {"source": "security-advisories@github.com", "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-5w5c-766x-265g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.0.42)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "oneuptime", "source": "cna", "vendor": "OneUptime"}, "product": "oneuptime", "vendor": "oneuptime"}], "analysis": {"en": {"generated_at": "2026-04-02T22:21:08.727632+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading OneUptime to version\u00a010.0.42 or later. If an upgrade is not immediately possible, disable or remove the SAML SSO integration from the application configuration to block the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is OneUptime, an open\u2011source monitoring and observability platform. All releases prior to version\u00a010.0.42 are vulnerable; the issue was fixed in the 10.0.42 release. System administrators should verify that the application is running a patched version or otherwise mitigate the SSO configuration.", "description_and_impact": "OneUptime\u2019s SAML SSO implementation separates the verification of XML signatures from the extraction of identity data. The signature validation routine checks only the first <Signature> element, while the code that retrieves the user\u2019s email always reads the first assertion in the document. An attacker can exploit this mismatch by placing an unsigned SAML assertion containing a forged identity before a properly signed assertion. The system then accepts the forged identity because the signature check is satisfied by the later assertion, allowing the attacker to authenticate as any user without being detected. This flaw falls under the CWE-347 category of untrusted resource usage and results in an authentication bypass with the potential to gain unauthorized access to the application. The vulnerability is included in all versions before OneUptime\u00a010.0.42.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity vulnerability. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, leveraging the SAML SSO authorization flow that can be triggered over the network. An attacker who can inject a crafted SAML response into the authentication request can execute the bypass with minimal prerequisites, making the exploit relatively straightforward in environments where the SSO integration is exposed externally. Because the flaw permits elevation of privileges to any authenticated user, the impact on confidentiality, integrity, and availability is substantial, potentially allowing full control of the target system."}}}}, "created": "2026-04-03T07:31:36.943899+00:00", "updated": "2026-04-03T09:16:33.561349+00:00", "vendors": ["oneuptime", "oneuptime$PRODUCT$oneuptime"]}