What is the CVSS score of CVE-2026-28787?

CVE-2026-28787 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Oneuptime are affected by CVE-2026-28787?

OneUptime versions 10.0.11 and prior contain a critical authentication bypass vulnerability that could allow attackers to forge WebAuthn credentials and gain unauthorized access to monitoring…

Is there a public PoC exploit available for CVE-2026-28787?

Yes, a public proof-of-concept exploit is available for CVE-2026-28787. Prioritise patching immediately. EPSS: 0.0%.

Oneuptime CVE-2026-28787

HIGH

Improper Authentication (CWE-287)

2026-03-06 security-advisories@github.com

GHSA-gjjc-pcwp-c74m

XSS Authentication Bypass Oneuptime

8.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 10, 2026 - 19:51 vuln.today

Public exploit code

CVE Published

Mar 06, 2026 - 05:16 nvd

HIGH 8.2

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on @oneuptime/common (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 10.0.11.

DescriptionNVD

OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification. This violates the WebAuthn specification (W3C Web Authentication Level 2, §13.4.3) and allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, completely bypassing the second-factor authentication. No known patches are available.

AnalysisAI

OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validation is missing, allowing attackers with a captured assertion to replay valid authentication tokens indefinitely and bypass multi-factor authentication. The vulnerability affects authenticated users and requires only low privileges to exploit, with public exploit code already available. …

RemediationAI

Within 24 hours: Inventory all OneUptime deployments and document affected versions; restrict administrative access and monitor authentication logs for suspicious activity. Within 7 days: Disable WebAuthn authentication if possible and require alternative MFA methods; isolate OneUptime instances to trusted networks only; implement enhanced logging of all authentication attempts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28787 vulnerability details – vuln.today

Back

Oneuptime CVE-2026-28787

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code