CVE-2026-32230
published 2026-03-12CVE-2026-32230: Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in…
PriorityP341medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
0.91%
55.3th percentile
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| louislam | uptime-kuma | — | — |
| louislam | uptime-kuma | >= 2.0.0 < 2.2.0 | 2.2.0 |
| uptime.kuma | uptime_kuma | >= 2.0.0 < 2.2.0 | 2.2.0 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
osv·2026-03-12
CVE-2026-32230 [MEDIUM] Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
## Summary
The `GET /api/badge/:id/ping/:duration?` endpoint in `server/routers/api-router.js` does not verify that the requested monitor belongs to a public group. All other badge endpoints check `AND public = 1` in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors.
## Affected Code
File: `server/routers/api-router.js`, approximately line 304
The ping badge endpoint directly calls `UptimeCalculator.getUptimeCalculator(requestedMonitorId)` without first checking if the monitor is public. Compare with the status badge endpoin
GHSA
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
ghsa·2026-03-12
CVE-2026-32230 [MEDIUM] CWE-862 Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
## Summary
The `GET /api/badge/:id/ping/:duration?` endpoint in `server/routers/api-router.js` does not verify that the requested monitor belongs to a public group. All other badge endpoints check `AND public = 1` in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors.
## Affected Code
File: `server/routers/api-router.js`, approximately line 304
The ping badge endpoint directly calls `UptimeCalculator.getUptimeCalculator(requestedMonitorId)` without first checking if the monitor is public. Compare with the status badge endpoin
No detection rules found.
Nuclei
Uptime-Kuma < v1.23.0 - Improper Access Control
nuclei·CVSS 5.3
CVE-2026-32230 [MEDIUM] Uptime-Kuma < v1.23.0 - Improper Access Control
Uptime-Kuma < v1.23.0 - Improper Access Control
Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak ping statistics, such as average ping and ping history, for existing monitors without needing access to the protected status page. This can lead to unintended exposure of internal monitoring data.
Template:
id: CVE-2026-32230
info:
name: Uptime-Kuma < v1.23.0 - Improper Access Control
author: ritikchaddha
severity: medium
description: |
Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak p
https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febaehttps://github.com/louislam/uptime-kuma/issues/7038https://github.com/louislam/uptime-kuma/issues/7135https://github.com/louislam/uptime-kuma/releases/tag/2.2.0https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6hhttps://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h
2026-03-12
Published