OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay

Vulnerability

Overview

CVE-2026-28787 affects OneUptime, an open-source monitoring and observability platform, in versions 10.0.11 and prior. The WebAuthn authentication implementation violates the W3C Web Authentication Level 2 specification (§13.4.3) by not storing the authentication challenge on the server side. Instead, the server generates a random challenge via generateAuthenticationOptions() but returns it to the client without persisting it in a session or database [1][2].

Exploitation

Mechanism

During verification, the server reads the expectedChallenge directly from the untrusted client request body (in Authentication.ts:1042), rather than from a server-stored value. This client-controlled challenge is then passed to @simplewebauthn/server's verifyAuthenticationResponse() as the expected challenge [2]. An attacker who obtains a valid WebAuthn assertion—for example, through cross-site scripting (XSS), man-in-the-middle (MitM) attacks, or log exposure—can replay that assertion indefinitely. Because both the expected challenge (from the request body) and the challenge embedded in the credential's clientDataJSON originate from the same captured assertion, they will always match, completely bypassing the second-factor authentication [1][2].

Impact

Successful exploitation allows an attacker to bypass WebAuthn 2FA bypass, gaining unauthorized access to the victim's account without knowledge of the physical authenticator. The attacker can replay the captured assertion any number of times, effectively neutralizing the second factor [1][2].

Mitigation

Status

As of the publication date, no patches are available. Users of OneUptime version 10.0.11 and earlier are advised to monitor the vendor's repository for updates and consider restricting network access or implementing additional compensating controls until a fix is released [1][2].