CVE-2026-28787
WebAuthn Replay Vulnerability in OneUptime Enables 2FA Bypass
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hackerbay | oneuptime | to 10.0.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-294 | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have serious security impacts if you use OneUptime with WebAuthn 2FA enabled. An attacker who obtains your password and a single valid WebAuthn assertion can bypass the second-factor authentication indefinitely by replaying the captured assertion.
- Attackers can gain unauthorized access to your account without possessing your physical authenticator device.
- The vulnerability can be exploited through techniques such as stored XSS, man-in-the-middle attacks, or log exposure to capture valid authentication assertions.
- This effectively renders the WebAuthn 2FA protection useless, increasing the risk of account compromise.
The vulnerability has a high severity rating with a CVSS v3 score of 8.2, indicating significant confidentiality and integrity impacts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
This vulnerability affects the WebAuthn two-factor authentication (2FA) implementation in OneUptime versions 10.0.11 and earlier. The core issue is that the server does not store the WebAuthn challenge it generates during authentication. Instead, it returns the challenge to the client and later accepts the same challenge back from the client during verification.
This behavior violates the WebAuthn specification and allows an attacker who has obtained a valid WebAuthn assertion (for example, through cross-site scripting (XSS), man-in-the-middle (MitM) attacks, or log exposure) to replay that assertion indefinitely. As a result, the attacker can bypass the second-factor authentication completely without needing the victimβs authenticator device.
The vulnerability arises because the server uses the client-supplied challenge as the expected challenge during verification, which always matches the challenge embedded in the captured assertion, making the cryptographic signature valid and enabling replay attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring authentication requests for replayed WebAuthn assertions. Since the server does not store the challenge and accepts the challenge value from the client, repeated identical authentication requests containing the same WebAuthn assertion indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'To detect such activity on your system or network, you can analyze logs or capture network traffic to identify repeated WebAuthn authentication requests with identical challenge and credential data.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network packet capture tools like tcpdump or Wireshark to filter WebAuthn authentication traffic, for example:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 443' | grep -i 'challenge'"}, {'type': 'list_item', 'content': "Use grep or similar tools on server logs to find repeated authentication requests with identical challenge values, e.g., grep 'challenge' /path/to/authentication/logs | sort | uniq -c | sort -nr"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual authentication patterns such as multiple successful logins using the same WebAuthn assertion or repeated authentication attempts from the same client data can help identify exploitation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing server-side storage of the WebAuthn challenge value generated during authentication and verifying the client response against this stored challenge to prevent replay attacks.
Since no patches are currently available, you should consider the following actions:
- Disable WebAuthn-based two-factor authentication temporarily to prevent exploitation.
- Implement additional monitoring and rate limiting on authentication endpoints to reduce the risk of replay attacks.
- Review and fix any cross-site scripting (XSS) vulnerabilities or other attack vectors that could allow an attacker to capture valid WebAuthn assertions.
- Educate users about the risk and encourage strong password use and other security best practices until a patch is released.