Kuranikaran

**Name of the Vulnerable Software and Affected Versions** Uptime Kuma versions 2.0.0 through 2.1.3 **Description** Uptime Kuma is an open source, self-hosted monitoring tool. The `GET /api/badge/:id/ping/:duration?` endpoint in `server/routers/api-router.js` does not verify that the requested monitor belongs to a public group. All other badge endpoints check for public access before returning data, but the ping endpoint skips this check. This allows unauthenticated users to extract average ping/response time data for private monitors. The issue is related to a missing check for public access before calling `UptimeCalculator.getUptimeCalculator(requestedMonitorId)`. The vulnerable endpoint is ''/api/badge/:id/ping/:duration?'', and the vulnerable variable is `requestedMonitorId`. An unauthenticated attacker can enumerate private monitor IDs and extract average response time data for private monitors, potentially inferring the existence and reachability of internal monitored services. **Recommendations** Versions prior to 2.2.0 are affected. Update to version 2.2.0 or later to resolve this issue.