CVE-2026-33143

HIGH

OneUptime: WhatsApp Webhook Missing Signature Verification

Title source: cna

Description

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34.

References (1)

[X_Refsource_Confirm] https://github.com/OneUptime/oneuptime/security/advisories/GHSA-g5ph-f57v-mwjc

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 12.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-345

Status published

Products (3)

hackerbay/oneuptime < 10.0.34

npm/oneuptime 0 - 10.0.34npm

OneUptime/oneuptime < 10.0.34

Published Mar 20, 2026

Tracked Since Mar 21, 2026