Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-c7hf-c5p5-5g6h

MEDIUM

Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page

Also known asCVE-2026-32230
Published
Mar 12, 2026
Updated
Mar 14, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.9%probability of exploitation in next 30 days
Lower Risk55th percentile+0.12%
0.00%0.47%0.94%1.41%0.0%0.1%0.8%0.9%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

uptime-kumanpm
53downloads / week

Description

Summary

The GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors.

Affected Code

File: server/routers/api-router.js, approximately line 304

The ping badge endpoint directly calls UptimeCalculator.getUptimeCalculator(requestedMonitorId) without first checking if the monitor is public. Compare with the status badge endpoint (~line 148) which correctly queries:

SELECT monitor_group.monitor_id FROM monitor_group, `group`
WHERE monitor_group.group_id = `group`.id
AND monitor_group.monitor_id = ?
AND public = 1

Protected vs Vulnerable Endpoints

EndpointHas public=1 check?
/api/badge/:id/statusYes
/api/badge/:id/uptime/:duration?Yes
/api/badge/:id/avg-response/:duration?Yes
/api/badge/:id/cert-expYes
/api/badge/:id/responseYes
/api/badge/:id/ping/:duration?No — vulnerable

PoC

  1. Install Uptime Kuma (tested on latest v2 stable via Docker)
  2. Create an HTTP(s) monitor (e.g., monitoring http://localhost:3001)
  3. Do NOT add the monitor to any public status page or group
  4. Wait for heartbeats to accumulate (~5 minutes)
  5. Query unauthenticated:
curl http://localhost:3001/api/badge/1/status   → returns N/A (correct, monitor is private)
curl http://localhost:3001/api/badge/1/ping/24  → returns "Avg. Ping (24h): 10ms" (LEAKED)

Impact

An unauthenticated attacker can:

  • Enumerate private monitor IDs
  • Extract average response time data for private monitors
  • Infer existence and reachability of internal monitored services

Suggested Fix

Add the same public monitor check before the UptimeCalculator call:

let publicMonitor = await R.getRow(`
    SELECT monitor_group.monitor_id FROM monitor_group, \`group\`
    WHERE monitor_group.group_id = \`group\`.id
    AND monitor_group.monitor_id = ?
    AND public = 1
`, [requestedMonitorId]);

if (!publicMonitor) {
    badgeValues.message = "N/A";
    badgeValues.color = badgeConstants.naColor;
}
<img width="1228" height="710" alt="Screenshot 2026-02-24 at 4 49 40 PM" src="https://github.com/user-attachments/assets/80aeae2d-be08-449f-8b39-c50da7aaedba" /> <img width="1271" height="770" alt="File Alons til View He" src="https://github.com/user-attachments/assets/d50c9a00-282a-4b79-b5e1-f77afde9223a" />

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npmuptime-kuma2.0.0&&< 2.2.02.2.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for uptime-kuma. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update uptime-kuma to 2.2.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-c7hf-c5p5-5g6h is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-c7hf-c5p5-5g6h is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-c7hf-c5p5-5g6h. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary The `GET /api/badge/:id/ping/:duration?` endpoint in `server/routers/api-router.js` does not verify that the requested monitor belongs to a public group. All other badge endpoints check `AND public = 1` in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. ## Affected Code File: `server/routers/api-router.js`, approximately line 304 The ping badge endpoint directly calls `UptimeCalculator.getUptimeCalculator(requestedMonitorId)` without first checking
O3 Security · Impact-Aware SCA

Is GHSA-c7hf-c5p5-5g6h in your dependencies?

O3 detects GHSA-c7hf-c5p5-5g6h across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works
GHSA-c7hf-c5p5-5g6h: uptime-kuma (Medium 5.3) | O3 Security