VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026

CVE-2026-50884

CVE-2026-50884

Description

statping-ng v0.93.0 allows privilege escalation to admin via non-admin API key due to missing role check in middleware.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

statping-ng v0.93.0 allows privilege escalation to admin via non-admin API key due to missing role check in middleware.

Vulnerability

An access control flaw exists in statping-ng v0.93.0 in the authentication middleware. The function hasAPIQuery() in handlers/authentication.go accepts any valid user API key as sufficient authentication, without verifying that the key belongs to an administrator. Subsequently, IsFullAuthenticated() in handlers/handlers.go treats this as full authentication, allowing non-admin users to access administrative endpoints such as POST /api/users. The affected version is v0.93.0 [1].

Exploitation

An attacker must possess a valid API key for any non-admin user of the target instance. With this key, they can send a POST /api/users?api=<non_admin_user_api_key> request with a JSON body specifying a new user with administrator privileges. The request bypasses role checks, and the new admin user is created. Subsequent logins can then use this new account to access all administrative functionality [1].

Impact

Successful exploitation grants the attacker persistent administrative control of the statping-ng instance. They can create, modify, or delete users, and access sensitive components. The attack results in a complete compromise of the application's confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2026-06-15), no official patch has been released for statping-ng v0.93.0. Users can mitigate the risk by restricting the exposure of user API keys, implementing additional authorization checks at the application layer, or awaiting a fix from the maintainers. Until a patch is available, consider disabling access to administrative endpoints over untrusted networks [1].

References
  1. Reference for CVE-2026-50884

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing administrator-role check in hasAPIQuery() allows any valid user API key to satisfy full authentication for admin-only routes."

Attack vector

An attacker who possesses any valid non-admin user API key can supply it as the `api` query parameter on a request to an administrative endpoint (e.g., `POST /api/users`). The `hasAPIQuery()` function matches the key against the database of user API keys without checking the user's role, and `IsFullAuthenticated()` accepts this as full authentication. The attacker can then create a new user with the `administrator` flag, escalating privileges to full administrative control [ref_id=1].

Affected code

The vulnerability resides in `handlers/authentication.go::hasAPIQuery()` and `handlers/handlers.go::IsFullAuthenticated()`. `hasAPIQuery()` accepts any user API key without verifying the user is an administrator, and `IsFullAuthenticated()` treats that result as sufficient for admin-level routes. This allows non-admin API keys to pass middleware intended for administrator-only endpoints such as `POST /api/users` [ref_id=1].

What the fix does

The advisory does not include a published patch. The recommended fix is to modify `hasAPIQuery()` or the calling middleware to verify that the matched user's role is `administrator` before granting access to admin-only routes. Without this role check, any valid user API key is treated as equivalent to the global admin secret [ref_id=1].

Preconditions

  • authAttacker must have a valid API key for any non-admin user of the statping-ng instance.
  • configThe target statping-ng instance must be running version 0.93.0.
  • networkThe administrative endpoint (e.g., POST /api/users) must be reachable over the network.

Reproduction

Obtain the API key for a normal non-admin statping-ng 0.93.0 user. Send `POST /api/users?api=<non_admin_user_api_key>` with a request body for a new user account marked as administrator. Observe that the request passes `IsFullAuthenticated()` through `hasAPIQuery()`. Query the user list or log in as the newly created account to confirm administrative access [ref_id=1].

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.