CVE-2026-34840
Authentication Bypass in OneUptime SAML SSO via XML Signature Flaw
Publication date: 2026-04-02
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hackerbay | oneuptime | to 10.0.42 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34840 is a critical vulnerability in OneUptime's SAML Single Sign-On (SSO) implementation caused by a disconnect between signature verification and identity extraction.
The signature verification function checks only the first <Signature> element in the SAML XML response, which typically signs the second assertion if multiple assertions exist.
Meanwhile, the identity extraction function always reads the user identity from the first assertion, regardless of whether it is signed.
Because these two processes use different XML parsers and do not correlate the signed assertion with the extracted identity, an attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion.
This allows the attacker to bypass authentication by having the signature verification succeed on the signed assertion while the identity is extracted from the attacker-controlled unsigned assertion.
How can this vulnerability impact me? :
This vulnerability allows an attacker with a valid Identity Provider (IdP) account to impersonate any other user within the same OneUptime SSO-enabled project.
The attacker can bypass authentication by injecting an unsigned assertion with an arbitrary identity before a signed assertion, causing the system to accept the attacker-controlled identity.
This leads to a high-severity authentication bypass, potentially granting unauthorized access to sensitive data or functions within OneUptime.
The impact is conditional on the IdP using assertion-level signatures and affects OneUptime versions prior to 10.0.42.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying SAML responses containing multiple assertions where the first assertion is unsigned and attacker-controlled, and the second assertion is legitimately signed.
Since the vulnerability arises from a mismatch between signature verification and identity extraction in the SAML response, monitoring or inspecting SAML responses for multiple assertions can help detect potential exploitation attempts.
Commands or tools to detect this might include capturing SAML responses and parsing them to check for multiple assertions and signature placement, for example using XML parsing tools or scripts.
- Use network capture tools (e.g., tcpdump, Wireshark) to capture SAML response traffic.
- Extract and decode the SAML response (usually base64 encoded) using command line tools like `base64 -d`.
- Use XML parsing commands or scripts (e.g., `xmllint`, Python scripts with xml.etree.ElementTree or xml2js in Node.js) to count the number of `<Assertion>` elements and check which assertion contains the `<Signature>` element.
- Look for SAML responses where the first assertion is unsigned but contains user identity information, and the second assertion is signed.
No specific commands are provided in the resources, but the above approach outlines how to detect the presence of multiple assertions and signature placement indicative of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating OneUptime to version 10.0.42 or later, where the vulnerability has been patched.
The patch enforces that SAML responses contain exactly one assertion, rejecting responses with multiple assertions to prevent the multi-assertion injection attack.
Additional mitigation recommendations include:
- Enforce that the Identity Provider (IdP) signs the entire SAML Response envelope rather than individual assertions.
- Implement validation to bind the signature verification tightly to the identity extraction by ensuring the identity is extracted only from the signed assertion.
- Add further SAML validation checks such as temporal validity, destination validation, and audience restriction.
These steps help ensure that authentication bypass via unsigned assertions is prevented.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34840 allows an attacker to bypass authentication in OneUptime's SAML SSO implementation by injecting an unsigned assertion with an arbitrary identity before a legitimately signed assertion. This leads to impersonation of any user within the same SSO-enabled project.
Such an authentication bypass can have significant compliance implications for standards and regulations like GDPR and HIPAA, which require strong access controls and protection of personal and sensitive data. Unauthorized access due to this vulnerability could result in exposure or misuse of protected information, violating these regulations' requirements for confidentiality, integrity, and accountability.
Therefore, organizations using vulnerable versions of OneUptime prior to 10.0.42 may face increased risk of non-compliance with these standards until the vulnerability is patched and mitigations are applied.