CVE-2026-28787
Received Received - Intake
WebAuthn Replay Vulnerability in OneUptime Enables 2FA Bypass

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification. This violates the WebAuthn specification (W3C Web Authentication Level 2, Β§13.4.3) and allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, completely bypassing the second-factor authentication. No known patches are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28787
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Impact Analysis

This vulnerability can have serious security impacts if you use OneUptime with WebAuthn 2FA enabled. An attacker who obtains your password and a single valid WebAuthn assertion can bypass the second-factor authentication indefinitely by replaying the captured assertion.

  • Attackers can gain unauthorized access to your account without possessing your physical authenticator device.
  • The vulnerability can be exploited through techniques such as stored XSS, man-in-the-middle attacks, or log exposure to capture valid authentication assertions.
  • This effectively renders the WebAuthn 2FA protection useless, increasing the risk of account compromise.

The vulnerability has a high severity rating with a CVSS v3 score of 8.2, indicating significant confidentiality and integrity impacts.

Executive Summary

This vulnerability affects the WebAuthn two-factor authentication (2FA) implementation in OneUptime versions 10.0.11 and earlier. The core issue is that the server does not store the WebAuthn challenge it generates during authentication. Instead, it returns the challenge to the client and later accepts the same challenge back from the client during verification.

This behavior violates the WebAuthn specification and allows an attacker who has obtained a valid WebAuthn assertion (for example, through cross-site scripting (XSS), man-in-the-middle (MitM) attacks, or log exposure) to replay that assertion indefinitely. As a result, the attacker can bypass the second-factor authentication completely without needing the victim’s authenticator device.

The vulnerability arises because the server uses the client-supplied challenge as the expected challenge during verification, which always matches the challenge embedded in the captured assertion, making the cryptographic signature valid and enabling replay attacks.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring authentication requests for replayed WebAuthn assertions. Since the server does not store the challenge and accepts the challenge value from the client, repeated identical authentication requests containing the same WebAuthn assertion indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'To detect such activity on your system or network, you can analyze logs or capture network traffic to identify repeated WebAuthn authentication requests with identical challenge and credential data.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network packet capture tools like tcpdump or Wireshark to filter WebAuthn authentication traffic, for example:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 443' | grep -i 'challenge'"}, {'type': 'list_item', 'content': "Use grep or similar tools on server logs to find repeated authentication requests with identical challenge values, e.g., grep 'challenge' /path/to/authentication/logs | sort | uniq -c | sort -nr"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual authentication patterns such as multiple successful logins using the same WebAuthn assertion or repeated authentication attempts from the same client data can help identify exploitation.'}] [1]

Mitigation Strategies

Immediate mitigation steps include implementing server-side storage of the WebAuthn challenge value generated during authentication and verifying the client response against this stored challenge to prevent replay attacks.

Since no patches are currently available, you should consider the following actions:

  • Disable WebAuthn-based two-factor authentication temporarily to prevent exploitation.
  • Implement additional monitoring and rate limiting on authentication endpoints to reduce the risk of replay attacks.
  • Review and fix any cross-site scripting (XSS) vulnerabilities or other attack vectors that could allow an attacker to capture valid WebAuthn assertions.
  • Educate users about the risk and encourage strong password use and other security best practices until a patch is released.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart