Moderate severityNVD Advisory· Published Mar 12, 2026· Updated Mar 13, 2026
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
CVE-2026-32230
Description
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
uptime-kumanpm | >= 2.0.0, < 2.2.0 | 2.2.0 |
Affected products
2- Range: >= 2.0.0, < 2.2.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-c7hf-c5p5-5g6hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32230ghsaADVISORY
- github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febaeghsax_refsource_MISCWEB
- github.com/louislam/uptime-kuma/issues/7038ghsax_refsource_MISCWEB
- github.com/louislam/uptime-kuma/issues/7135ghsax_refsource_MISCWEB
- github.com/louislam/uptime-kuma/releases/tag/2.2.0ghsax_refsource_MISCWEB
- github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.