OneUptime patches SAML SSO multi-assertion auth bypass

TL;DR — OneUptime’s SAML SSO flow can validate a signed assertion while extracting identity from an attacker-injected unsigned assertion, enabling an authentication bypass under certain IdP signing configurations.

What happened

OneUptime is an open-source monitoring and observability platform that teams deploy to collect telemetry and drive alerting workflows.

CVE-2026-34840 describes a High-severity authentication bypass in OneUptime’s SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) caused by decoupled signature verification and identity extraction. Per the advisory, isSignatureValid() verifies the first XML Digital Signature in the SAML payload, while getEmail() extracts the user identity from assertion[0]. An attacker can prepend an unsigned assertion containing a target identity before a legitimately signed assertion, causing OneUptime to accept the signature but authenticate as the injected identity.

The advisory notes exploitability is conditional on IdP signature configuration: environments where the IdP produces assertion-level (enveloped) signatures are at risk; deployments where only the <Response> envelope is signed are not exploitable via this specific prepend-assertion path. This is a classic “SSO boundary” failure mode: once SAML identity can be injected, the attacker is operating as a legitimate user inside your monitoring control plane.

Who is impacted

• OneUptime instances using SAML SSO with affected versions.
• Highest risk when your IdP produces assertion-level signatures (as opposed to signing only the <Response> envelope).
• Per the advisory’s attack scenario, the target identity must correspond to an existing user in the same SSO-enabled OneUptime project (because the handler performs user lookup / membership checks after email extraction).

What to do now

• Follow upstream OneUptime remediation guidance and apply the patched release referenced by the advisory.

  • "Patched versions: 10.0.42"

• Treat this as an identity integrity incident risk: if you suspect exploitation, invalidate active sessions for SSO users and review authentication logs around SAML ACS/SSO endpoints for anomalies (unexpected logins as higher-privilege users).
• If you cannot patch immediately, confirm your IdP signature mode (assertion-level vs response-level) to understand whether your deployment matches the advisory’s exploitable configuration, and reduce exposure (e.g., restrict SSO endpoints to trusted networks) until patched.
• After patching, re-test SSO flows with your IdP and ensure the application rejects multi-assertion SAML responses and rejects unsigned identity-bearing assertions.

Additional Information

• Upstream advisory: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-5w5c-766x-265g
• Patch commit referenced by the CVE record: https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2ef9e57d1
• Release reference: https://github.com/OneUptime/oneuptime/releases/tag/10.0.42