CVE-2026-32230 Overview
CVE-2026-32230 is a Missing Authorization vulnerability (CWE-862) affecting Uptime Kuma, an open source, self-hosted monitoring tool. From versions 2.0.0 to 2.1.3, the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js fails to verify that the requested monitor belongs to a public group. While all other badge endpoints properly check AND public = 1 in their SQL queries before returning data, the ping endpoint skips this authorization check entirely. This allows unauthenticated users to extract average ping/response time data for private monitors.
Critical Impact
Unauthenticated attackers can access sensitive performance metrics from private monitors, potentially revealing internal infrastructure details and network latency information that should remain confidential.
Affected Products
- Uptime Kuma versions 2.0.0 through 2.1.3
- Self-hosted Uptime Kuma instances with private monitors configured
- Deployments exposing the badge API endpoints to untrusted networks
Discovery Timeline
- 2026-03-12 - CVE-2026-32230 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32230
Vulnerability Analysis
This vulnerability represents a classic Missing Authorization flaw where an API endpoint lacks proper access control verification. The affected endpoint GET /api/badge/:id/ping/:duration? accepts a monitor ID parameter but does not validate whether that monitor should be publicly accessible. This inconsistency in authorization checking across related endpoints creates a security gap that can be exploited by unauthenticated attackers to enumerate and extract data from monitors marked as private.
The exposure allows attackers to gather intelligence about internal infrastructure, including response times that could reveal network topology information or service availability patterns intended to remain private.
Root Cause
The root cause is an inconsistent implementation of authorization checks across badge-related API endpoints. While other badge endpoints include AND public = 1 in their SQL queries to ensure only public monitors return data, the ping endpoint was implemented without this critical check. This oversight in the server/routers/api-router.js file allowed the authorization bypass to exist from version 2.0.0 through 2.1.3.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can directly query the vulnerable endpoint with arbitrary monitor IDs to extract ping/response time data. By iterating through potential monitor IDs, an attacker could systematically enumerate and extract timing data from all private monitors in a target Uptime Kuma instance.
The fix refactors the authorization check into a reusable isMonitorPublic() function that is consistently applied:
throw new Error("Invalid monitor ID");
}
const overrideValue = value !== undefined ? parseInt(value) : undefined;
-
- let publicMonitor = await R.getRow(
- `
- SELECT monitor_group.monitor_id FROM monitor_group, \`group\`
- WHERE monitor_group.group_id = \`group\`.id
- AND monitor_group.monitor_id = ?
- AND public = 1
- `,
- [requestedMonitorId]
- );
-
+ const publicMonitor = await isMonitorPublic(requestedMonitorId);
const badgeValues = { style };
if (!publicMonitor) {
Source: GitHub Commit Details
Detection Methods for CVE-2026-32230
Indicators of Compromise
- Unusual volume of requests to /api/badge/*/ping/* endpoints from external IP addresses
- Sequential monitor ID enumeration attempts in web server access logs
- Access to badge ping endpoints for monitors not configured as public
- Requests to the ping badge endpoint without corresponding authentication tokens
Detection Strategies
- Monitor web server access logs for repeated requests to /api/badge/:id/ping/:duration? with varying monitor IDs
- Implement rate limiting and anomaly detection for badge API endpoints
- Configure alerts for access attempts to private monitor resources from unauthenticated sessions
- Review application logs for authorization failures or unexpected monitor data access patterns
Monitoring Recommendations
- Enable detailed logging for all badge API endpoint access
- Implement network-level monitoring to detect enumeration attempts against the Uptime Kuma instance
- Configure SIEM rules to correlate badge endpoint access patterns with monitor visibility settings
- Establish baseline metrics for legitimate badge API usage to identify anomalous activity
How to Mitigate CVE-2026-32230
Immediate Actions Required
- Upgrade Uptime Kuma to version 2.2.0 or later immediately
- Review access logs for evidence of prior exploitation attempts
- Consider temporarily restricting network access to the badge API endpoints until patching is complete
- Audit all monitors to understand potential exposure of sensitive timing data
Patch Information
The vulnerability is fixed in Uptime Kuma version 2.2.0. The patch introduces a centralized isMonitorPublic() function that consistently enforces authorization checks across all badge endpoints. Organizations should upgrade to this version through their standard deployment process.
For more details, see the GitHub Release 2.2.0 and the GitHub Security Advisory GHSA-c7hf-c5p5-5g6h.
Workarounds
- Restrict network access to the Uptime Kuma instance using firewall rules or reverse proxy configurations
- Implement web application firewall (WAF) rules to block unauthenticated access to badge endpoints
- Use network segmentation to limit exposure of the monitoring tool to trusted internal networks only
- Consider temporarily disabling badge functionality if not required until the patch can be applied
# Example nginx configuration to restrict badge endpoint access
location ~ ^/api/badge/ {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
