CVE-2024-26477 is a vulnerability identified in Statping-ng version 0.91.0 that permits an attacker to retrieve sensitive information without authentication. The flaw exists in the handling of API parameters for the oauth, amazon_sns, and export endpoints. By crafting specific requests targeting these endpoints, an attacker can bypass access controls and extract confidential data. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 7.5, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality, with no effect on integrity or availability. Although no patches or exploits are currently documented, the vulnerability poses a significant risk due to the ease of exploitation and the sensitive nature of the exposed information.

The primary impact of CVE-2024-26477 is unauthorized disclosure of sensitive information, which can lead to further attacks such as credential theft, privilege escalation, or targeted phishing. Organizations relying on Statping-ng for monitoring or notification services may inadvertently expose confidential data, including OAuth tokens, Amazon SNS configurations, or export data. This exposure can compromise the security posture of affected systems and potentially lead to data breaches. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, increasing the risk for organizations worldwide. The absence of integrity or availability impact limits the scope to confidentiality, but the sensitive nature of the leaked data can have serious operational and reputational consequences.

To mitigate CVE-2024-26477, organizations should first verify if they are running Statping-ng version 0.91.0 or earlier. Immediate steps include restricting external access to the vulnerable API endpoints by implementing network-level controls such as firewall rules or API gateways that enforce strict authentication and authorization. If patching is not yet available, consider disabling or limiting the use of the oauth, amazon_sns, and export endpoints temporarily. Employ monitoring and logging to detect unusual or unauthorized API requests targeting these endpoints. Additionally, review and rotate any credentials or tokens that may have been exposed due to this vulnerability. Engage with the Statping-ng development community or vendor for updates and patches, and apply them promptly once released.