Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42.
AnalysisAI
Authentication bypass in OneUptime SAML SSO implementation allows authenticated attackers to impersonate arbitrary users by exploiting XML signature verification logic flaws. Affected versions prior to 10.0.42 decouple signature validation from identity extraction, enabling XML injection attacks where an unsigned assertion with attacker-controlled identity precedes a legitimately signed assertion. EPSS and exploitation signals indicate publicly available exploit code exists with moderate technical complexity (CVSS AC:L, PR:L). No confirmed active exploitation (not in CISA KEV).
Technical ContextAI
OneUptime (cpe:2.3:a:oneuptime:oneuptime) is an open-source observability platform. The vulnerability stems from CWE-347 (Improper Verification of Cryptographic Signature) in the SAML SSO implementation located in App/FeatureSet/Identity/Utils/SSO.ts. The code uses xml-crypto to verify the first <Signature> element in the XML DOM tree via isSignatureValid(), while identity extraction through getEmail() uses xml2js to always parse assertion[0] without verifying which assertion was cryptographically signed. This architectural flaw creates a race condition where XML processing order differs between verification and extraction phases. SAML (Security Assertion Markup Language) relies on XML digital signatures to ensure assertion integrity, but improper implementation of signature scope validation enables XML signature wrapping attacks-a well-documented attack class against SAML implementations that parse XML without enforcing signature coverage over extracted claims.
RemediationAI
Vendor-released patch: upgrade to OneUptime version 10.0.42 or later, released on the project's GitHub repository at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42. The fix implemented in commit 2fd7ede52f60444710628d6c1b34dee2ef9e57d1 (https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1) corrects the signature verification logic to ensure cryptographic validation applies to the same assertion from which identity claims are extracted, eliminating the XML injection opportunity. No workarounds are documented in the advisory; upgrading is the sole remediation path. Organizations should prioritize patching SAML SSO-enabled instances immediately. For environments where immediate patching is infeasible, consider temporarily disabling SAML SSO and reverting to alternative authentication mechanisms until upgrade completion, though this introduces operational disruption.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18533