CVE-2026-50884
Received Received - Intake
Incorrect Access Control in Statping-ng Allows Privilege Escalation

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-50884
EUVD
EUVD-2026-36782
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
statping statping-ng 0.93.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50884 is a vulnerability in statping-ng version 0.93.0 where the access control mechanism is flawed. Specifically, any valid user API key, including those belonging to non-admin users, is mistakenly treated as full authentication for admin-protected routes.

This happens because the function that checks API keys (`hasAPIQuery()`) accepts an API key if it matches either a global secret or a user's API key, without verifying if the user has administrator privileges. As a result, the system trusts this check and bypasses role-based access controls.

An attacker who obtains a non-admin user's API key can exploit this by sending requests to administrative endpoints, such as creating new users with administrator privileges, thereby escalating their privileges to full administrator.

Impact Analysis

This vulnerability allows an attacker with any valid non-admin API key to gain persistent full administrative control over the Statping instance.

  • An attacker can create new administrator accounts.
  • The attacker can access sensitive components and perform actions reserved for administrators.
  • This leads to a complete compromise of the affected system's security and integrity.
Detection Guidance

This vulnerability can be detected by monitoring for unauthorized use of non-admin API keys to access administrative endpoints. Specifically, look for requests to administrative routes such as POST /api/users that include an api query parameter with a non-admin user's API key.

A practical detection method is to analyze web server or application logs for suspicious API calls where non-admin API keys are used to invoke admin-level actions.

Example command to search logs for such requests (assuming logs are in access.log):

  • grep -E 'POST /api/users\?api=' access.log

Further investigation should verify if the API key belongs to a non-admin user and if the request resulted in creation or modification of administrator accounts.

Mitigation Strategies

Immediate mitigation steps include restricting or revoking non-admin API keys to prevent their use in administrative endpoints.

Additionally, avoid using the vulnerable version 0.93.0 of statping-ng until a patch or update is available that properly enforces role-based access control.

Monitor and audit API key usage to detect and block unauthorized privilege escalation attempts.

If possible, implement network-level controls such as firewall rules to limit access to administrative API endpoints only to trusted users or IP addresses.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50884. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart