Skip to main content

Jwt Attack CVE-2026-34840

| EUVDEUVD-2026-18533 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-04-02 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:08 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.0.42
EUVD ID Assigned
Apr 02, 2026 - 19:31 euvd
EUVD-2026-18533
Analysis Generated
Apr 02, 2026 - 19:31 vuln.today
CVE Published
Apr 02, 2026 - 18:52 nvd
HIGH 8.1

DescriptionGitHub Advisory

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42.

AnalysisAI

Authentication bypass in OneUptime SAML SSO implementation allows authenticated attackers to impersonate arbitrary users by exploiting XML signature verification logic flaws. Affected versions prior to 10.0.42 decouple signature validation from identity extraction, enabling XML injection attacks where an unsigned assertion with attacker-controlled identity precedes a legitimately signed assertion. EPSS and exploitation signals indicate publicly available exploit code exists with moderate technical complexity (CVSS AC:L, PR:L). No confirmed active exploitation (not in CISA KEV).

Technical ContextAI

OneUptime (cpe:2.3:a:oneuptime:oneuptime) is an open-source observability platform. The vulnerability stems from CWE-347 (Improper Verification of Cryptographic Signature) in the SAML SSO implementation located in App/FeatureSet/Identity/Utils/SSO.ts. The code uses xml-crypto to verify the first <Signature> element in the XML DOM tree via isSignatureValid(), while identity extraction through getEmail() uses xml2js to always parse assertion[0] without verifying which assertion was cryptographically signed. This architectural flaw creates a race condition where XML processing order differs between verification and extraction phases. SAML (Security Assertion Markup Language) relies on XML digital signatures to ensure assertion integrity, but improper implementation of signature scope validation enables XML signature wrapping attacks-a well-documented attack class against SAML implementations that parse XML without enforcing signature coverage over extracted claims.

RemediationAI

Vendor-released patch: upgrade to OneUptime version 10.0.42 or later, released on the project's GitHub repository at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42. The fix implemented in commit 2fd7ede52f60444710628d6c1b34dee2ef9e57d1 (https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1) corrects the signature verification logic to ensure cryptographic validation applies to the same assertion from which identity claims are extracted, eliminating the XML injection opportunity. No workarounds are documented in the advisory; upgrading is the sole remediation path. Organizations should prioritize patching SAML SSO-enabled instances immediately. For environments where immediate patching is infeasible, consider temporarily disabling SAML SSO and reverting to alternative authentication mechanisms until upgrade completion, though this introduces operational disruption.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

CVE-2026-34840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy