CVE-2024-26477
Published: 11 February 2026
Summary
CVE-2024-26477 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Statping-Ng Statping-Ng. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-26477 is an information disclosure vulnerability (CWE-200) affecting Statping-ng version 0.91.0, a self-hosted status page and service monitoring application. The flaw allows an attacker to obtain sensitive information through a crafted request targeting the "api" parameter on the oauth, amazon_sns, and export endpoints. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for authentication, privileges, or user interaction.
Any unauthenticated attacker with network access to a vulnerable Statping-ng instance can exploit this issue remotely with low complexity. By sending a specially crafted HTTP request to the affected endpoints, the attacker can extract sensitive data exposed via the "api" parameter, potentially including configuration details, credentials, or other internal information that could facilitate further attacks or reconnaissance.
References include proof-of-concept exploit code hosted at https://github.com/Ev3rR3d/Statping_Poc and https://github.com/Ev3rR3d/Statping_Poc/tree/main/CVE-2024-26477, demonstrating the vulnerability. Security practitioners should review the official Statping-ng repository at https://github.com/statping-ng/statping-ng and documentation site https://statping-ng.github.io/ for any patches, version updates, or mitigation guidance beyond the affected v0.91.0 release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-23745
Vulnerability details
An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the api parameter of the oauth, amazon_sns, export endpoints.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of unauthenticated info disclosure in public-facing web app (T1190) to extract system/config data and credentials (T1082/T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific information disclosure flaw in Statping-ng v0.91.0 that allows unauthenticated attackers to extract sensitive data via crafted 'api' parameter requests to oauth, amazon_sns, and export endpoints.
Restricts unauthenticated access to sensitive information by explicitly identifying and authorizing only permitted actions on the vulnerable endpoints without identification or authentication.
Prevents exploitation through crafted HTTP requests to the 'api' parameter by validating information inputs at the oauth, amazon_sns, and export endpoints.