CVE-2026-34840— OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-34840
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification
Source: NVD (National Vulnerability Database)
Vulnerability Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
密码学签名的验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
OneUptime 数据伪造问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OneUptime是OneUptime开源的一个全面的解决方案。用于监控和管理您的在线服务。 OneUptime 10.0.42之前版本存在数据伪造问题漏洞,该漏洞源于SAML SSO实现中签名验证和身份提取分离,可能导致身份验证绕过。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-34840
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 10433 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-34840
请登录查看更多情报信息。
Same Patch Batch · OneUptime · 2026-04-02 · 4 CVEs total
| CVE-2026-34758 | 9.1 CRITICAL | OneUptime: Missing Authentication on Notification Endpoints |
| CVE-2026-35053 | OneUptime: Unauthenticated Workflow Execution via ManualAPI | |
| CVE-2026-34759 | OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number p |
IV. Related Vulnerabilities
Same product: oneuptime
- CVE-2026-35053
OneUptime: Unauthenticated Workflow Execution via ManualAPI - CVE-2026-34759
OneUptime: Unauthenticated notification API endpoints - fina - CVE-2026-34758
OneUptime: Missing Authentication on Notification Endpoints - CVE-2026-33396
OneUptime has sandbox escape in Synthetic Monitor Playwright - CVE-2026-33142
OneUptime: ClickHouse SQL Injection via unvalidated column i
Same vendor: OneUptime
- CVE-2026-35053
OneUptime: Unauthenticated Workflow Execution via ManualAPI - CVE-2026-34759
OneUptime: Unauthenticated notification API endpoints - fina - CVE-2026-34758
OneUptime: Missing Authentication on Notification Endpoints - CVE-2026-33396
OneUptime has sandbox escape in Synthetic Monitor Playwright - CVE-2026-33142
OneUptime: ClickHouse SQL Injection via unvalidated column i
Same weakness: CWE-347
- CVE-2026-42193
Plunk: SNS webhook forgery - CVE-2026-44497
ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type - CVE-2026-41669
Admidio: SAML Signature Validation Result Ignored — Forged A - CVE-2026-7689
Dolibarr ERP CRM Online Signature security.lib.php dol_verif - CVE-2026-33467
Improper Verification of Cryptographic Signature in Elastic
V. Comments for CVE-2026-34840
No comments yet