Detections
Analytics

SCA: security update for uptime-kuma (GHSA-c7hf-c5p5-5g6h)

medium Tenable Self-Hosted Container Security Plugin ID 438695

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET
 /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested
 monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query
 before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to
 extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0.
 (CVE-2026-32230)

Solution

Update the uptime-kuma library and its related packages to version 2.2.0 or later.

See Also

https://github.com/advisories/GHSA-c7hf-c5p5-5g6h

Plugin Details

Severity: Medium

ID: 438695

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 3/12/2026

Updated: 6/1/2026

Risk Information

VPR

Risk Factor: Low

Score: 2.2

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2026-32230

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/12/2026

Vulnerability Publication Date: 3/12/2026

Reference Information

CVE: CVE-2026-32230

cwe: CWE-862