Uptime Kuma is an open-source, self-hosted monitoring tool widely used for tracking uptime and response metrics of IT infrastructure. Versions 2.0.0 through 2.1.3 contain a missing authorization vulnerability (CWE-862) in the GET /api/badge/:id/ping/:duration? endpoint. Unlike other badge endpoints that enforce a SQL query condition to ensure the requested monitor is public (public=1), this ping endpoint omits this check entirely. Consequently, unauthenticated attackers can query this endpoint to retrieve average ping and response time data for private monitors that should be restricted. This leakage of monitoring data does not require authentication or user interaction and can be exploited remotely over the network. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity level due to its limited impact on confidentiality and no impact on integrity or availability. The flaw was publicly disclosed and fixed in version 2.2.0 of Uptime Kuma. No known exploits are currently reported in the wild. The vulnerability could allow attackers to gather intelligence on private infrastructure performance and availability, potentially aiding further targeted attacks or reconnaissance.

The primary impact of CVE-2026-32230 is unauthorized information disclosure of private monitoring data, specifically average ping and response times. This can reveal sensitive operational details about an organization's internal or private infrastructure, such as server responsiveness and uptime patterns. While this does not directly compromise system integrity or availability, the leaked data can be leveraged by attackers for reconnaissance to plan more sophisticated attacks. Organizations relying on Uptime Kuma for monitoring critical infrastructure may inadvertently expose private performance metrics, potentially undermining security posture and privacy. The vulnerability affects all organizations using vulnerable versions, especially those with sensitive or critical infrastructure monitored privately. Since exploitation requires no authentication and no user interaction, the risk of automated scanning and data harvesting is elevated. However, the lack of known active exploitation reduces immediate threat urgency. Prompt patching is essential to prevent potential intelligence gathering by malicious actors.

1. Upgrade Uptime Kuma to version 2.2.0 or later, where the authorization check for the ping badge endpoint is properly enforced. 2. If immediate upgrade is not feasible, implement network-level access controls to restrict access to the Uptime Kuma API endpoints, especially the /api/badge/:id/ping/:duration? endpoint, limiting it to trusted IP addresses or VPN users. 3. Review and audit existing monitor configurations to ensure sensitive monitors are not publicly accessible or exposed inadvertently. 4. Monitor logs for unusual or repeated access attempts to badge endpoints from unauthenticated sources, which may indicate reconnaissance activity. 5. Consider deploying web application firewalls (WAF) with custom rules to detect and block unauthorized access to sensitive API endpoints. 6. Educate administrators about the importance of timely patching and secure configuration of monitoring tools to prevent information leakage.