Login Sign Up

CVE-2024-26480

7.5 HIGH
Authentication Bypass

📋 TL;DR

CVE-2024-26480 is an information disclosure vulnerability in Statping-ng v0.91.0 that allows attackers to access sensitive information through crafted requests to the admin parameter. This affects all systems running the vulnerable version of Statping-ng, a self-hosted status page monitoring tool. Attackers can potentially obtain administrative credentials or other confidential data.

💻 Affected Systems

Products:
  • Statping-ng
Versions: v0.91.0
Operating Systems: All platforms running Statping-ng
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Statping-ng version 0.91.0 specifically. Other versions may not be vulnerable.

📦 What is this software?

Statping Ng by Statping Ng

View all CVEs affecting Statping Ng →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Statping-ng instance with administrative access, allowing attackers to modify monitoring configurations, inject malicious content, or pivot to other systems.

🟠

Likely Case

Exposure of sensitive configuration data, API keys, or authentication tokens that could lead to unauthorized access or data manipulation.

🟢

If Mitigated

Limited information disclosure with no critical impact if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept code is available on GitHub. Exploitation appears straightforward via crafted HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after v0.91.0

Vendor Advisory: https://github.com/statping-ng/statping-ng

Restart Required: Yes

Instructions:

1. Check current version with 'statping version'. 2. Update to latest version using package manager or download from GitHub. 3. Restart Statping-ng service.

🔧 Temporary Workarounds

Restrict Admin Parameter Access

all

Implement web application firewall rules or reverse proxy configurations to block or sanitize requests to the admin parameter.

# Example nginx location block to restrict admin access
location ~* /admin {
    deny all;
    return 403;
}

🧯 If You Can't Patch

  • Implement strict network access controls to limit Statping-ng access to trusted IP addresses only.
  • Monitor and alert on unusual requests to admin endpoints in application logs.

🔍 How to Verify

Check if Vulnerable:

Check if running Statping-ng version 0.91.0 using 'statping version' or by examining the application interface.

Check Version:

statping version

Verify Fix Applied:

Confirm version is updated beyond v0.91.0 and test that crafted requests to admin parameter no longer return sensitive information.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests containing crafted admin parameter values
  • Multiple failed authentication attempts following information disclosure

Network Indicators:

  • HTTP requests with unusual parameters to admin endpoints
  • Traffic patterns showing reconnaissance of admin interfaces

SIEM Query:

source="statping-ng" AND (uri="*admin*" OR method="POST" AND status=200 AND size>1000)

📊 Metadata

CVE ID: CVE-2024-26480
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
EPSS Score: 0.03% exploit probability (7.9th percentile)
Published: February 11, 2026
Last Updated: February 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26480, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)