CVE-2026-32230 (GCVE-0-2026-32230)
Vulnerability from cvelistv5 – Published: 2026-03-12 18:13 – Updated: 2026-03-13 16:19
VLAI?
Title
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
Summary
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| louislam | uptime-kuma |
Affected:
>= 2.0.0, < 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32230",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:19:08.925897Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:19:12.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uptime-kuma",
"vendor": "louislam",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T18:13:58.543Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h"
},
{
"name": "https://github.com/louislam/uptime-kuma/issues/7038",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/issues/7038"
},
{
"name": "https://github.com/louislam/uptime-kuma/issues/7135",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/issues/7135"
},
{
"name": "https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae"
},
{
"name": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.0"
}
],
"source": {
"advisory": "GHSA-c7hf-c5p5-5g6h",
"discovery": "UNKNOWN"
},
"title": "Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32230",
"datePublished": "2026-03-12T18:13:58.543Z",
"dateReserved": "2026-03-11T14:47:05.681Z",
"dateUpdated": "2026-03-13T16:19:12.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32230\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-12T19:16:16.820\",\"lastModified\":\"2026-03-19T21:06:13.853\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0.\"},{\"lang\":\"es\",\"value\":\"Uptime Kuma es una herramienta de monitoreo de c\u00f3digo abierto y autoalojada. Desde la versi\u00f3n 2.0.0 hasta la 2.1.3, el endpoint GET /api/badge/:id/ping/:duration? en servidor/routers/api-router.js no verifica que el monitor solicitado pertenezca a un grupo p\u00fablico. Todos los dem\u00e1s endpoints de insignia verifican AND public = 1 en su consulta SQL antes de devolver datos. El endpoint de ping omite esta verificaci\u00f3n por completo, permitiendo a usuarios no autenticados extraer datos de tiempo promedio de ping/respuesta para monitores privados. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.2.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.2.0\",\"matchCriteriaId\":\"4815ABCE-2D49-4C9D-BB1E-083178EAD490\"}]}]}],\"references\":[{\"url\":\"https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/louislam/uptime-kuma/issues/7038\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/louislam/uptime-kuma/issues/7135\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/louislam/uptime-kuma/releases/tag/2.2.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32230\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T16:19:08.925897Z\"}}}], \"references\": [{\"url\": \"https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-13T16:18:58.440Z\"}}], \"cna\": {\"title\": \"Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page\", \"source\": {\"advisory\": \"GHSA-c7hf-c5p5-5g6h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"louislam\", \"product\": \"uptime-kuma\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h\", \"name\": \"https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/louislam/uptime-kuma/issues/7038\", \"name\": \"https://github.com/louislam/uptime-kuma/issues/7038\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/louislam/uptime-kuma/issues/7135\", \"name\": \"https://github.com/louislam/uptime-kuma/issues/7135\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae\", \"name\": \"https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/louislam/uptime-kuma/releases/tag/2.2.0\", \"name\": \"https://github.com/louislam/uptime-kuma/releases/tag/2.2.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-12T18:13:58.543Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32230\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-13T16:19:12.948Z\", \"dateReserved\": \"2026-03-11T14:47:05.681Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-12T18:13:58.543Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-32230
Vulnerability from fkie_nvd - Published: 2026-03-12 19:16 - Updated: 2026-03-19 21:06
Severity ?
Summary
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| uptime.kuma | uptime_kuma | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4815ABCE-2D49-4C9D-BB1E-083178EAD490",
"versionEndExcluding": "2.2.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0."
},
{
"lang": "es",
"value": "Uptime Kuma es una herramienta de monitoreo de c\u00f3digo abierto y autoalojada. Desde la versi\u00f3n 2.0.0 hasta la 2.1.3, el endpoint GET /api/badge/:id/ping/:duration? en servidor/routers/api-router.js no verifica que el monitor solicitado pertenezca a un grupo p\u00fablico. Todos los dem\u00e1s endpoints de insignia verifican AND public = 1 en su consulta SQL antes de devolver datos. El endpoint de ping omite esta verificaci\u00f3n por completo, permitiendo a usuarios no autenticados extraer datos de tiempo promedio de ping/respuesta para monitores privados. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.2.0."
}
],
"id": "CVE-2026-32230",
"lastModified": "2026-03-19T21:06:13.853",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-12T19:16:16.820",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/louislam/uptime-kuma/issues/7038"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/louislam/uptime-kuma/issues/7135"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-C7HF-C5P5-5G6H
Vulnerability from github – Published: 2026-03-12 14:47 – Updated: 2026-03-13 13:35
VLAI?
Summary
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
Details
Summary
The GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors.
Affected Code
File: server/routers/api-router.js, approximately line 304
The ping badge endpoint directly calls UptimeCalculator.getUptimeCalculator(requestedMonitorId) without first checking if the monitor is public. Compare with the status badge endpoint (~line 148) which correctly queries:
SELECT monitor_group.monitor_id FROM monitor_group, `group`
WHERE monitor_group.group_id = `group`.id
AND monitor_group.monitor_id = ?
AND public = 1
Protected vs Vulnerable Endpoints
| Endpoint | Has public=1 check? |
|---|---|
| /api/badge/:id/status | Yes |
| /api/badge/:id/uptime/:duration? | Yes |
| /api/badge/:id/avg-response/:duration? | Yes |
| /api/badge/:id/cert-exp | Yes |
| /api/badge/:id/response | Yes |
| /api/badge/:id/ping/:duration? | No — vulnerable |
PoC
- Install Uptime Kuma (tested on latest v2 stable via Docker)
- Create an HTTP(s) monitor (e.g., monitoring http://localhost:3001)
- Do NOT add the monitor to any public status page or group
- Wait for heartbeats to accumulate (~5 minutes)
- Query unauthenticated:
curl http://localhost:3001/api/badge/1/status → returns N/A (correct, monitor is private)
curl http://localhost:3001/api/badge/1/ping/24 → returns "Avg. Ping (24h): 10ms" (LEAKED)
Impact
An unauthenticated attacker can: - Enumerate private monitor IDs - Extract average response time data for private monitors - Infer existence and reachability of internal monitored services
Suggested Fix
Add the same public monitor check before the UptimeCalculator call:
let publicMonitor = await R.getRow(`
SELECT monitor_group.monitor_id FROM monitor_group, \`group\`
WHERE monitor_group.group_id = \`group\`.id
AND monitor_group.monitor_id = ?
AND public = 1
`, [requestedMonitorId]);
if (!publicMonitor) {
badgeValues.message = "N/A";
badgeValues.color = badgeConstants.naColor;
}
Severity ?
5.3 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.3"
},
"package": {
"ecosystem": "npm",
"name": "uptime-kuma"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32230"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:47:39Z",
"nvd_published_at": "2026-03-12T19:16:16Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `GET /api/badge/:id/ping/:duration?` endpoint in `server/routers/api-router.js` does not verify that the requested monitor belongs to a public group. All other badge endpoints check `AND public = 1` in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors.\n\n## Affected Code\n\nFile: `server/routers/api-router.js`, approximately line 304\n\nThe ping badge endpoint directly calls `UptimeCalculator.getUptimeCalculator(requestedMonitorId)` without first checking if the monitor is public. Compare with the status badge endpoint (~line 148) which correctly queries:\n```sql\nSELECT monitor_group.monitor_id FROM monitor_group, `group`\nWHERE monitor_group.group_id = `group`.id\nAND monitor_group.monitor_id = ?\nAND public = 1\n```\n\n## Protected vs Vulnerable Endpoints\n\n| Endpoint | Has public=1 check? |\n|----------|-------------------|\n| /api/badge/:id/status | Yes |\n| /api/badge/:id/uptime/:duration? | Yes |\n| /api/badge/:id/avg-response/:duration? | Yes |\n| /api/badge/:id/cert-exp | Yes |\n| /api/badge/:id/response | Yes |\n| /api/badge/:id/ping/:duration? | **No \u2014 vulnerable** |\n\n## PoC\n\n1. Install Uptime Kuma (tested on latest v2 stable via Docker)\n2. Create an HTTP(s) monitor (e.g., monitoring http://localhost:3001)\n3. Do NOT add the monitor to any public status page or group\n4. Wait for heartbeats to accumulate (~5 minutes)\n5. Query unauthenticated:\n```bash\ncurl http://localhost:3001/api/badge/1/status \u2192 returns N/A (correct, monitor is private)\ncurl http://localhost:3001/api/badge/1/ping/24 \u2192 returns \"Avg. Ping (24h): 10ms\" (LEAKED)\n```\n\n## Impact\n\nAn unauthenticated attacker can:\n- Enumerate private monitor IDs\n- Extract average response time data for private monitors\n- Infer existence and reachability of internal monitored services\n\n## Suggested Fix\n\nAdd the same public monitor check before the UptimeCalculator call:\n```javascript\nlet publicMonitor = await R.getRow(`\n SELECT monitor_group.monitor_id FROM monitor_group, \\`group\\`\n WHERE monitor_group.group_id = \\`group\\`.id\n AND monitor_group.monitor_id = ?\n AND public = 1\n`, [requestedMonitorId]);\n\nif (!publicMonitor) {\n badgeValues.message = \"N/A\";\n badgeValues.color = badgeConstants.naColor;\n}\n```\n\n\u003cimg width=\"1228\" height=\"710\" alt=\"Screenshot 2026-02-24 at 4 49 40\u202fPM\" src=\"https://github.com/user-attachments/assets/80aeae2d-be08-449f-8b39-c50da7aaedba\" /\u003e\n\n\u003cimg width=\"1271\" height=\"770\" alt=\"File Alons til View He\" src=\"https://github.com/user-attachments/assets/d50c9a00-282a-4b79-b5e1-f77afde9223a\" /\u003e",
"id": "GHSA-c7hf-c5p5-5g6h",
"modified": "2026-03-13T13:35:38Z",
"published": "2026-03-12T14:47:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32230"
},
{
"type": "WEB",
"url": "https://github.com/louislam/uptime-kuma/issues/7038"
},
{
"type": "WEB",
"url": "https://github.com/louislam/uptime-kuma/issues/7135"
},
{
"type": "WEB",
"url": "https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae"
},
{
"type": "PACKAGE",
"url": "https://github.com/louislam/uptime-kuma"
},
{
"type": "WEB",
"url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…