OneUptime: WhatsApp Webhook Missing Signature Verification
Description
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OneUptime before 10.0.34 lacks HMAC signature verification on its WhatsApp webhook POST handler, letting unauthenticated attackers forge status updates to suppress alerts and corrupt audit trails.
Vulnerability
The WhatsApp POST webhook handler at /notification/whatsapp/webhook in OneUptime prior to version 10.0.34 processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature [1][3]. The codebase already implements proper signature verification for Slack webhooks, but the WhatsApp POST handler omits this check entirely [3].
Exploitation
An unauthenticated attacker can send a crafted HTTP POST request to the vulnerable endpoint with a forged JSON payload that mimics a legitimate WhatsApp business account status update [3]. No authentication or prior access is required; the attacker only needs network access to the OneUptime instance. The GET webhook correctly validates a verify token, but the POST handler—which processes actual event data—does not [3].
Impact
By forging delivery status updates, an attacker can manipulate notification delivery status records, suppress real alerts, and corrupt audit trails [1][3]. This could lead to missed incident notifications, false sense of security, and compromised monitoring integrity.
Mitigation
The issue has been patched in OneUptime version 10.0.34 [1]. Users should upgrade to this version or later. No workaround is documented; the fix adds proper HMAC signature verification to the WhatsApp webhook POST handler.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oneuptimenpm | < 10.0.34 | 10.0.34 |
Affected products
2- OneUptime/oneuptimev5Range: < 10.0.34
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-g5ph-f57v-mwjcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33143ghsaADVISORY
- github.com/OneUptime/oneuptime/security/advisories/GHSA-g5ph-f57v-mwjcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.