{"uuid": "8a72f774-c36c-4999-9305-b734935e445f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50884", "type": "seen", "source": "https://gist.github.com/pyuysig/72acb62a9973fa394581f662c0f12704", "content": "# Vulnerability Report: CVE-2026-50884 - statping-ng - Non-admin API key accepted for administrator API endpoints\n\n## Vulnerability Summary\nstatping-ng 0.93.0 contains an incorrect access control issue in API key authentication. A remote attacker with a valid non-admin user API key can pass the key in the api query parameter to admin-only /api/* endpoints, leading to unauthorized administrator-level access.\n\n## Affected Product\n- **Vendor**: statping-ng Project\n- **Product**: statping-ng\n- **Version**: 0.93.0\n- **Vulnerable Component**: handlers/authentication.go hasAPIQuery(), handlers/handlers.go IsFullAuthenticated(), admin-only routes protected by authenticated(...), including /api/users\n\n## Vulnerability Details\n- **Vulnerability Type**: Incorrect Access Control\n- **Weakness**: CWE-863\n- **Attack Conditions**: Remote request with a valid non-admin user API key in the api query parameter to an admin-only /api/* endpoint.\n\n## Report Body\n\n### Summary\nstatping-ng 0.93.0 contains an incorrect access control issue in API key authentication. A remote attacker with a valid non-admin user API key can pass the key in the api query parameter to admin-only /api/* endpoints, leading to unauthorized administrator-level access.\n\n### Details\nThe authentication helper treats presence of a valid API key as full authentication for routes that require administrator-level access, without enforcing the caller role.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50884.\n3. Confirm the security result: A non-admin user API key can access admin-only API endpoints such as /api/users.\n\n### Impact\nPrivilege escalation from non-admin API key access to administrator API operations.\n\n## Remediation\nSeparate authentication from authorization and require administrator role checks for admin API endpoints even when API-key authentication succeeds.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:55.000000Z"}