CVE-2026-50884
Deferred Deferred - Pending Action

Incorrect Access Control in Statping-ng Allows Privilege Escalation

Vulnerability report for CVE-2026-50884, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
statping statping-ng 0.93.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-50884 allows attackers to escalate privileges to Administrator and access sensitive components by exploiting incorrect access control in statping-ng v0.93.0.

This unauthorized privilege escalation and access to sensitive data could lead to violations of common standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of sensitive information.

By enabling attackers to gain persistent full administrative control, the vulnerability increases the risk of unauthorized data access, modification, or disclosure, potentially resulting in non-compliance with these regulations.

Executive Summary

CVE-2026-50884 is a vulnerability in statping-ng version 0.93.0 where the access control mechanism is flawed. Specifically, any valid user API key, including those belonging to non-admin users, is mistakenly treated as full authentication for admin-protected routes.

This happens because the function that checks API keys (`hasAPIQuery()`) accepts an API key if it matches either a global secret or a user's API key, without verifying if the user has administrator privileges. As a result, the system trusts this check and bypasses role-based access controls.

An attacker who obtains a non-admin user's API key can exploit this by sending requests to administrative endpoints, such as creating new users with administrator privileges, thereby escalating their privileges to full administrator.

Impact Analysis

This vulnerability allows an attacker with any valid non-admin API key to gain persistent full administrative control over the Statping instance.

  • An attacker can create new administrator accounts.
  • The attacker can access sensitive components and perform actions reserved for administrators.
  • This leads to a complete compromise of the affected system's security and integrity.
Detection Guidance

This vulnerability can be detected by monitoring for unauthorized use of non-admin API keys to access administrative endpoints. Specifically, look for requests to administrative routes such as POST /api/users that include an api query parameter with a non-admin user's API key.

A practical detection method is to analyze web server or application logs for suspicious API calls where non-admin API keys are used to invoke admin-level actions.

Example command to search logs for such requests (assuming logs are in access.log):

  • grep -E 'POST /api/users\?api=' access.log

Further investigation should verify if the API key belongs to a non-admin user and if the request resulted in creation or modification of administrator accounts.

Mitigation Strategies

Immediate mitigation steps include restricting or revoking non-admin API keys to prevent their use in administrative endpoints.

Additionally, avoid using the vulnerable version 0.93.0 of statping-ng until a patch or update is available that properly enforces role-based access control.

Monitor and audit API key usage to detect and block unauthorized privilege escalation attempts.

If possible, implement network-level controls such as firewall rules to limit access to administrative API endpoints only to trusted users or IP addresses.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50884. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart