LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-28787

CVE-2026-28787 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 9, 2026

OneUptime - Authentication Bypass

Published: March 6, 2026Updated: March 9, 2026Remote Exploitable

Overview

OneUptime <= 10.0.11 contains a broken authentication caused by improper WebAuthn challenge handling, letting attackers replay valid assertions to bypass second-factor authentication, exploit requires attacker to have a valid WebAuthn assertion.

Severity & Score

Severity: High
CVSS Score: 8.2
EPSS Score: 4.7%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass second-factor authentication by replaying valid WebAuthn assertions, compromising account security.

Mitigation

Update to the latest version when a patch becomes available.

References

Social Media Activity(3 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 6, 2026

šŸŸ  CVE-2026-28787 - High (8.2) OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and acc... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-28787/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 6, 2026

šŸŸ  CVE-2026-28787 - High (8.2) OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and acc... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-28787/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 6, 2026

šŸŸ  CVE-2026-28787 - High (8.2) OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and acc... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-28787/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-28787
Severity
High
CVSS Score
8.2
Type
broken_authentication
Status
unconfirmed
EPSS
4.7%
Social Posts
3

CWE

  • CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score

4.7%Probability of exploitation in the next 30 days