From version 2.0.0 to 2.1.3, the GET /api/badge/:id/ping/:duration? endpoint in Uptime Kuma’s server/routers/api-router.js does not enforce that the requested monitor belongs to a public group. While other badge endpoints correctly authenticate the monitor’s visibility in the database query, the ping endpoint omits this check entirely, enabling unauthenticated users to retrieve average ping and response time data for private monitors. This broken access control (CWE-862) allows an attacker to obtain sensitive monitoring metrics without authorization, potentially revealing performance characteristics or uptime information that could aid further attacks.

The vulnerability affects the uptime-kuma product from the louislam vendor. All releases from version 2.0.0 up to and including 2.1.3 are impacted. The fix was introduced in release 2.2.0, so any deployment running a version prior to 2.2.0 is susceptible.

The CVSS v3.1 base score is 5.3, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild, and the vulnerability has not been catalogued in the CISA KEV list. The attack requires only an unauthenticated HTTP GET request to the endpoint, which any internet‑exposed instance of Uptime Kuma can process. Because the data exposed are internal monitoring metrics, the potential damage is limited to information disclosure, but could assist attackers in planning subsequent attacks. Pilots of the vulnerability have not been widely documented, so the likelihood remains low, but the impact of any leaks warrants mitigation.