{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32230", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T14:47:05.681Z", "datePublished": "2026-03-12T18:13:58.543Z", "dateUpdated": "2026-03-13T16:19:12.948Z"}, "containers": {"cna": {"title": "Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h"}, {"name": "https://github.com/louislam/uptime-kuma/issues/7038", "tags": ["x_refsource_MISC"], "url": "https://github.com/louislam/uptime-kuma/issues/7038"}, {"name": "https://github.com/louislam/uptime-kuma/issues/7135", "tags": ["x_refsource_MISC"], "url": "https://github.com/louislam/uptime-kuma/issues/7135"}, {"name": "https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae", "tags": ["x_refsource_MISC"], "url": "https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae"}, {"name": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.0"}], "affected": [{"vendor": "louislam", "product": "uptime-kuma", "versions": [{"version": ">= 2.0.0, < 2.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:13:58.543Z"}, "descriptions": [{"lang": "en", "value": "Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0."}], "source": {"advisory": "GHSA-c7hf-c5p5-5g6h", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:19:08.925897Z", "id": "CVE-2026-32230", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:19:12.948Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32230", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:19:08.925897Z"}}}], "references": [{"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:18:58.440Z"}}], "cna": {"title": "Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page", "source": {"advisory": "GHSA-c7hf-c5p5-5g6h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "louislam", "product": "uptime-kuma", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.2.0"}]}], "references": [{"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h", "name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/louislam/uptime-kuma/issues/7038", "name": "https://github.com/louislam/uptime-kuma/issues/7038", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/louislam/uptime-kuma/issues/7135", "name": "https://github.com/louislam/uptime-kuma/issues/7135", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae", "name": "https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.0", "name": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:13:58.543Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32230", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:19:12.948Z", "dateReserved": "2026-03-11T14:47:05.681Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T18:13:58.543Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*", "matchCriteriaId": "4815ABCE-2D49-4C9D-BB1E-083178EAD490", "versionEndExcluding": "2.2.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0."}, {"lang": "es", "value": "Uptime Kuma es una herramienta de monitoreo de c\u00f3digo abierto y autoalojada. Desde la versi\u00f3n 2.0.0 hasta la 2.1.3, el endpoint GET /api/badge/:id/ping/:duration? en servidor/routers/api-router.js no verifica que el monitor solicitado pertenezca a un grupo p\u00fablico. Todos los dem\u00e1s endpoints de insignia verifican AND public = 1 en su consulta SQL antes de devolver datos. El endpoint de ping omite esta verificaci\u00f3n por completo, permitiendo a usuarios no autenticados extraer datos de tiempo promedio de ping/respuesta para monitores privados. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.2.0."}], "id": "CVE-2026-32230", "lastModified": "2026-03-19T21:06:13.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T19:16:16.820", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/louislam/uptime-kuma/issues/7038"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/louislam/uptime-kuma/issues/7135"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "uptime-kuma", "source": "cna", "vendor": "louislam"}, "product": "uptime-kuma", "vendor": "louislam"}], "analysis": {"en": {"generated_at": "2026-03-19T22:36:00.476780+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Uptime Kuma to version 2.2.0 or later."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the uptime-kuma product from the louislam vendor. All releases from version 2.0.0 up to and including 2.1.3 are impacted. The fix was introduced in release 2.2.0, so any deployment running a version prior to 2.2.0 is susceptible.", "description_and_impact": "From version 2.0.0 to 2.1.3, the GET /api/badge/:id/ping/:duration? endpoint in Uptime Kuma\u2019s server/routers/api-router.js does not enforce that the requested monitor belongs to a public group. While other badge endpoints correctly authenticate the monitor\u2019s visibility in the database query, the ping endpoint omits this check entirely, enabling unauthenticated users to retrieve average ping and response time data for private monitors. This broken access control (CWE-862) allows an attacker to obtain sensitive monitoring metrics without authorization, potentially revealing performance characteristics or uptime information that could aid further attacks.", "risk_and_exploitability": "The CVSS v3.1 base score is 5.3, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild, and the vulnerability has not been catalogued in the CISA KEV list. The attack requires only an unauthenticated HTTP GET request to the endpoint, which any internet\u2011exposed instance of Uptime Kuma can process. Because the data exposed are internal monitoring metrics, the potential damage is limited to information disclosure, but could assist attackers in planning subsequent attacks. Pilots of the vulnerability have not been widely documented, so the likelihood remains low, but the impact of any leaks warrants mitigation."}}}}, "created": "2026-03-13T09:50:29.605454+00:00", "updated": "2026-03-20T15:48:36.369526+00:00", "vendors": ["louislam", "louislam$PRODUCT$uptime-kuma"]}