CVE-2026-33143: OneUptime WhatsApp Webhook Missing Signature Verification

March 18, 2026 (updated March 20, 2026)

The WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks.

References

github.com/OneUptime/oneuptime
github.com/OneUptime/oneuptime/security/advisories/GHSA-g5ph-f57v-mwjc
github.com/advisories/GHSA-g5ph-f57v-mwjc
nvd.nist.gov/vuln/detail/CVE-2026-33143

Code Behaviors & Features

Detect and mitigate CVE-2026-33143 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →