wid-sec-w-2026-0713
·
Published 2026-03-12
·
View on BSI CERT-Bund ↗
Uptime Kuma: Vulnerability allows Offenlegung from Informationen
CVSS 5.3
MEDIUM
Risk Summary
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0.
CVEs (1)
Affected Vendors
Open Source
Affected Products (2)
Open Source
·
Uptime Kuma
<2.2.0
Open Source
·
Uptime Kuma
2.2.0
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more