High severityNVD Advisory· Published Mar 20, 2026· Updated Mar 24, 2026
OneUptime: WhatsApp Webhook Missing Signature Verification
CVE-2026-33143
Description
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oneuptimenpm | < 10.0.34 | 10.0.34 |
Affected products
2- OneUptime/oneuptimev5Range: < 10.0.34
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-g5ph-f57v-mwjcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33143ghsaADVISORY
- github.com/OneUptime/oneuptime/security/advisories/GHSA-g5ph-f57v-mwjcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.