Vulnerability Database
299,038
Total vulnerabilities in the database
Enabling Authentication does not close all logged in socket connections immediately
Summary
This is basically GHSA-88j4-pcx8-q4q but instead of changing passwords, when enabling authentication.
PoC
- Open Uptime Kuma with authentication disabled
- Enable authentication using another window
- Access the platform using the previously logged-in window
- Note that access (read-write) remains despite the enabled authentication
- Expected behaviour:
- After enabling authentication, all previously connected sessions should be invalidated, requiring users to log in.
- Actual behaviour:
- The system retains sessions and never logs out users unless explicitly done by clicking logout or refreshing the page.
Impact
See GHSA-g9v2-wqcj-j99g and GHSA-88j4-pcx8-q4q
TBH this is quite a niche edge case, so I don't know if this even warrants a security report.
| Software | From | Fixed in |
|---|---|---|
uptime-kuma
|
- | 1.23.12 |
- https://github.com/louislam/uptime-kuma/commit/7a9e2f5de69aa0bb884ead25d1dcc833bb8c6579
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-23q2-5gf8-gjpp
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-88j4-pcx8-q4q3
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime