What is the CVSS score of CVE-2026-28787?

CVE-2026-28787 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Oneuptime are affected by CVE-2026-28787?

OneUptime versions 10.0.11 and prior contain a critical authentication bypass vulnerability that could allow attackers to forge WebAuthn credentials and gain unauthorized access to monitoring…

Is there a public PoC exploit available for CVE-2026-28787?

Yes, a public proof-of-concept exploit is available for CVE-2026-28787. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-28787?

Within 24 hours: Inventory all OneUptime deployments and document affected versions; restrict administrative access and monitor authentication logs for suspicious activity. Within 7 days: Disable WebAuthn authentication if possible and require alternative MFA methods; isolate OneUptime instances to trusted networks only; implement enhanced logging of all authentication attempts. Within 30 days: Contact vendor for patch availability and upgrade roadmap; evaluate alternative monitoring solutions if no patch timeline is provided; conduct forensic review of authentication logs for evidence of compromise.

Oneuptime CVE-2026-28787

HIGH

Improper Authentication (CWE-287)

2026-03-06 security-advisories@github.com

GHSA-gjjc-pcwp-c74m

Authentication Bypass XSS Oneuptime

8.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.2 HIGH

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 10, 2026 - 19:51 vuln.today

Public exploit code

CVE Published

Mar 06, 2026 - 05:16 nvd

HIGH 8.2

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on @oneuptime/common (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 10.0.11.

DescriptionGitHub Advisory

OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification. This violates the WebAuthn specification (W3C Web Authentication Level 2, §13.4.3) and allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, completely bypassing the second-factor authentication. No known patches are available.

AnalysisAI

OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validation is missing, allowing attackers with a captured assertion to replay valid authentication tokens indefinitely and bypass multi-factor authentication. The vulnerability affects authenticated users and requires only low privileges to exploit, with public exploit code already available. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain valid WebAuthn assertion via XSS or MitM

Delivery

Capture client-side challenge from response

Exploit

Replay assertion with captured challenge

Execution

Bypass second-factor authentication

Impact

Gain unauthorized account access

Access

Obtain valid WebAuthn assertion via XSS or MitM

Delivery

Capture client-side challenge from response

Exploit

Replay assertion with captured challenge

Execution

Bypass second-factor authentication

Impact

Gain unauthorized account access

Vulnerability AssessmentAI

Exploitation	OneUptime version 10.0.11 or prior with WebAuthn authentication enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.2 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all OneUptime deployments and document affected versions; restrict administrative access and monitor authentication logs for suspicious activity. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-28787 vulnerability details – vuln.today

Back

Oneuptime CVE-2026-28787

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code