Uptime Kuma Missing Authorization Check Vulnerability Allows Access to Private Monitor Ping Data

A vulnerability exists in Uptime Kuma versions 2.0.0 through 2.1.3, specifically in the GET /api/badge/:id/ping/:duration? endpoint. This endpoint fails to verify whether the requested monitor is part of a public group. In contrast, all other badge endpoints include a public group check in their SQL queries before data is returned. As a result, the ping endpoint allows unauthenticated users to access average ping and response time data for private monitors, potentially leading to the enumeration of private monitor IDs and the inference of the existence and reachability of internal services being monitored.

Impact

Exploitation of this vulnerability allows unauthenticated users to access average ping and response time data for private monitors, which could be used to infer the existence and reachability of internal services being monitored.

Reproduction

To reproduce this vulnerability, install Uptime Kuma version 2.0.0 to 2.1.3. Create a private HTTP or HTTPS monitor and ensure it is not added to any public status page or group. After allowing time for the monitor to accumulate heartbeats, query the ping badge endpoint for the monitor ID. The response will include the average ping time, demonstrating the unauthorized access to private monitor data.

Remediation

Users can upgrade to Uptime Kuma version 2.2.0 or later, where this vulnerability has been addressed.