CVE ID :CVE-2026-34840 Published : April 2, 2026, 8:16 p.m. | 1 hour, 3 minutes ago Description :OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass. This issue has been patched in version 10.0.42. Severity: 8.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...