OneUptime WhatsApp Webhook Signature Verification Vulnerability

A vulnerability exists in OneUptime versions prior to 10.0.34 within the WhatsApp POST webhook handler. This handler processes status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature. As a result, any unauthenticated attacker can send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. While the application correctly verifies signatures for Slack webhooks, this issue has been overlooked for WhatsApp.

Impact

Exploitation of this vulnerability allows unauthenticated remote attackers to forge WhatsApp webhook events, falsely indicating the delivery status of notifications, suppressing critical alerts, and manipulating notification logs, thereby disrupting incident response efforts.

Reproduction

To reproduce this vulnerability, send a POST request to the OneUptime WhatsApp webhook endpoint without including the required X-Hub-Signature-256 header. The request should contain a payload that mimics a legitimate WhatsApp status update, such as injecting a message or altering the delivery status of a notification. OneUptime will accept the forged payload without verification, resulting in a 200 OK response.

Remediation

Users can update to OneUptime version 10.0.34 or later, where this vulnerability has been patched.