Uptime Kuma is an open-source, self-hosted monitoring tool used to track uptime and response times of various services. Versions 2.0.0 through 2.1.3 contain a vulnerability (CVE-2026-32230) classified under CWE-862 (Missing Authorization). Specifically, the GET /api/badge/:id/ping/:duration? endpoint in the server's API router does not verify whether the requested monitor belongs to a public group before returning data. In contrast, other badge-related endpoints include a SQL query condition enforcing public=1, ensuring only public monitors' data is accessible. The ping endpoint omits this check, allowing unauthenticated attackers to retrieve average ping and response time metrics for private monitors. This unauthorized data disclosure could reveal sensitive operational information about internal systems or services that organizations intended to keep private. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The flaw was addressed and fixed in Uptime Kuma version 2.2.0. The CVSS v3.1 base score is 5.3 (medium severity), with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), confidentiality impact low (C:L), and no impact on integrity or availability (I:N/A:N). No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is unauthorized disclosure of monitoring data related to private monitors. Organizations relying on Uptime Kuma for internal service monitoring could inadvertently expose sensitive operational metrics such as average ping and response times to unauthenticated external actors. This information could aid attackers in reconnaissance activities, enabling them to identify critical internal services, assess their responsiveness, and potentially plan targeted attacks. While the vulnerability does not allow modification or disruption of services, the confidentiality breach could undermine organizational security postures and privacy requirements. Since exploitation requires no authentication and can be performed remotely, the risk of data leakage is significant for any organization running affected versions of Uptime Kuma, especially those monitoring sensitive or critical infrastructure. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers could develop exploits given the public disclosure.

Organizations using Uptime Kuma versions 2.0.0 to 2.1.3 should upgrade immediately to version 2.2.0 or later, where the authorization check on the /api/badge/:id/ping/:duration? endpoint is properly enforced. Until upgrading is possible, administrators should consider restricting network access to the Uptime Kuma server to trusted internal networks only, preventing unauthenticated external access to the API endpoints. Additionally, implementing web application firewalls (WAFs) with rules to detect and block suspicious API requests targeting badge endpoints can reduce exposure. Monitoring API logs for unusual access patterns to badge endpoints may help detect exploitation attempts. Reviewing and minimizing the number of private monitors exposed via badges and ensuring that sensitive monitoring data is not publicly accessible can further reduce risk. Finally, organizations should maintain an inventory of affected software versions and apply security patches promptly to prevent exploitation.