Description

Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0.

INFO

Published Date :

2026-03-12T18:13:58.543Z

Last Modified :

2026-03-13T16:19:12.948Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32230 vulnerability.

Vendors Products
Louislam
  • Uptime-kuma
Uptime.kuma
  • Uptime Kuma
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32230.

URL Resource
https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae cve-icon cve-icon
https://github.com/louislam/uptime-kuma/issues/7038 cve-icon cve-icon
https://github.com/louislam/uptime-kuma/issues/7135 cve-icon cve-icon
https://github.com/louislam/uptime-kuma/releases/tag/2.2.0 cve-icon cve-icon
https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact