Impact Analysis

This vulnerability can impact you by allowing unauthorized users to access sensitive monitoring data about your private monitors without authentication.

Specifically, attackers can extract average ping or response time information for private monitors, potentially revealing the existence, reachability, and performance of internal or private services that you intended to keep confidential.

Such information leakage could aid attackers in reconnaissance activities, helping them map your internal network or identify targets for further attacks.

The vulnerability has a moderate severity with a CVSS v3.1 base score of 5.3, indicating a network attack vector with low complexity and no required privileges or user interaction.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-32230 is a vulnerability in the open source monitoring tool Uptime Kuma, versions 2.0.0 to 2.1.3. The issue exists in the GET /api/badge/:id/ping/:duration? endpoint, which fails to verify whether the requested monitor belongs to a public group before returning data.

While other badge endpoints enforce a check that the monitor is public (by verifying public = 1 in their SQL queries), the ping badge endpoint skips this authorization check entirely. This allows unauthenticated users to access average ping or response time data for private monitors.

The vulnerability is due to missing authorization (CWE-862) and can be exploited by enumerating private monitor IDs and retrieving sensitive monitoring data without authentication. It was fixed in version 2.2.0 by adding proper public monitor verification before returning ping badge data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the GET /api/badge/:id/ping/:duration? endpoint on an Uptime Kuma instance running versions 2.0.0 to 2.1.3 without authentication and checking if it returns average ping/response time data for private monitors.'}, {'type': 'paragraph', 'content': 'A practical detection method is to enumerate monitor IDs and query the ping badge endpoint unauthenticated. If the endpoint returns valid ping data for private monitors (which should not be publicly accessible), the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Example command using curl to test a specific monitor ID and duration (replace <monitor_id> and <duration>):'}, {'type': 'list_item', 'content': 'curl -i http://<uptime-kuma-host>/api/badge/<monitor_id>/ping/<duration>'}, {'type': 'paragraph', 'content': 'If the response contains average ping data for a private monitor, the vulnerability exists. In contrast, other badge endpoints should return "N/A" or deny access for private monitors.'}] [5]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Uptime Kuma to version 2.2.0 or later, where this vulnerability is fixed by enforcing proper authorization checks on the ping badge endpoint.

The fix involves verifying that the requested monitor belongs to a public group before returning ping data, preventing unauthenticated users from accessing private monitor information.

If upgrading immediately is not possible, consider restricting network access to the vulnerable endpoint or implementing additional authentication or firewall rules to prevent unauthenticated access to the /api/badge/:id/ping/:duration? endpoint.

Review the Security tab on the Uptime Kuma GitHub repository for detailed mitigation guidance and monitor for updates.

Useful 0 Not Useful 0