CVE-2026-32230

Name of the Vulnerable Software and Affected Versions Uptime Kuma versions 2.0.0 through 2.1.3

Description Uptime Kuma is an open source, self-hosted monitoring tool. The GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check for public access before returning data, but the ping endpoint skips this check. This allows unauthenticated users to extract average ping/response time data for private monitors. The issue is related to a missing check for public access before calling UptimeCalculator.getUptimeCalculator(requestedMonitorId). The vulnerable endpoint is ''/api/badge/:id/ping/:duration?'', and the vulnerable variable is requestedMonitorId. An unauthenticated attacker can enumerate private monitor IDs and extract average response time data for private monitors, potentially inferring the existence and reachability of internal monitored services.

Recommendations Versions prior to 2.2.0 are affected. Update to version 2.2.0 or later to resolve this issue.