Listen to this Post
The vulnerability exists in the WhatsApp webhook handler located at `/notification/whatsapp/webhook` within OneUptime versions prior to 10.0.34. The endpoint processes incoming status update events from Meta/WhatsApp but fails to validate the `X-Hub-Signature-256` HMAC signature. Without this verification, an unauthenticated attacker can forge webhook payloads impersonating WhatsApp. Because the system trusts these unverified callbacks as legitimate status updates, the attacker can manipulate notification delivery status records. This allows them to mark critical alerts as “delivered” or “read” when they were never sent, effectively suppressing alerts. The attack also corrupts audit trails by injecting false delivery logs, making incident investigation unreliable. Since the codebase already implements proper signature verification for Slack webhooks, the missing validation in the WhatsApp handler represents an inconsistent security control. The flaw requires no privileges and can be executed remotely over the network.
Platform: OneUptime
Version: <10.0.34
Vulnerability: Missing Signature Validation
Severity: Critical
Date: 03/24/2026
Prediction: Already Patched (10.0.34)
What Undercode Say:
Analytics indicate that webhook endpoints are often overlooked in code reviews. Attackers prioritize these paths because they handle state-changing events without user interaction.
Enumerate webhook endpoints grep -r "webhook" /app/routes/notification/ Check for signature validation patterns grep -r "X-Hub-Signature" /app/handlers/whatsapp.js
Exploit:
An attacker crafts a POST request to `/notification/whatsapp/webhook` with a forged JSON payload containing status: "delivered". The request omits the `X-Hub-Signature-256` header entirely.
curl -X POST https://target.com/notification/whatsapp/webhook \
-H "Content-Type: application/json" \
-d '{"entry":[{"changes":[{"value":{"statuses":[{"id":"msg_123","status":"delivered"}]}}]}]}'
Protection from this CVE:
Update to OneUptime version 10.0.34. If patching is delayed, implement a WAF rule to block unauthenticated POST requests to /notification/whatsapp/webhook. Verify the HMAC signature using the app secret before processing any payload.
Impact:
Suppression of critical alerts leading to undetected service outages. Tampered audit trails causing inaccurate incident response and compliance violations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

