LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-33143

CVE-2026-33143 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: March 23, 2026

OneUptime - Broken Access Control

Published: March 20, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable

Overview

OneUptime < 10.0.34 contains a broken access control vulnerability caused by missing verification of Meta/WhatsApp X-Hub-Signature-256 HMAC signature in the WhatsApp POST webhook handler, letting unauthenticated attackers manipulate notification delivery status, suppress alerts, and corrupt audit trails, exploit requires no authentication.

Severity & Score

Severity: High
CVSS Score: 7.5
EPSS Score: 2.5%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can manipulate notification statuses, suppress alerts, and corrupt audit trails, impacting monitoring reliability and integrity.

Mitigation

Upgrade to version 10.0.34 or later.

References

Social Media Activity(4 posts)

Ivy Cyber
Ivy Cyber
@ivycyber
Mar 23, 2026

šŸ›”ļø #Cybersecurity news & tips across the #fediverse šŸ‘‡ ā€œšŸŸ  CVE-2026-33143 - High (7.5) OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status ...ā€ https://mastodon.social/@thehackerwire/116280734653900107 šŸ¤– via RSS feed. Not an endorsement.

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸŸ  CVE-2026-33143 - High (7.5) OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Sig... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33143/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
Ivy Cyber
Ivy Cyber
@ivycyber
Mar 23, 2026

šŸ›”ļø #Cybersecurity news & tips across the #fediverse šŸ‘‡ ā€œšŸŸ  CVE-2026-33143 - High (7.5) OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status ...ā€ https://mastodon.social/@thehackerwire/116280734653900107 šŸ¤– via RSS feed. Not an endorsement.

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸŸ  CVE-2026-33143 - High (7.5) OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Sig... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33143/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-33143
Severity
High
CVSS Score
7.5
Type
broken_access_control
Status
confirmed
EPSS
2.5%
Social Posts
4

CWE

  • CWE-345

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score

2.5%Probability of exploitation in the next 30 days