CVE-2023-49805
CVE-2023-49805 is a medium-severity vulnerability in Dockge.kuma Dockge with a CVSS 3.x base score of 6.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-346.
Key facts
- Severity: Medium (CVSS 3.x base score 6.0)
- EPSS exploit prediction: 0% (30th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-346
- Affected product: Dockge.kuma Dockge
- Published:
- Last modified:
Description
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the `Origin` header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application. Without origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vulnerabilities of the application. Users with "No-auth" mode configured who are relying on a reverse proxy or firewall to provide protection to the application would be especially vulnerable as it would grant the attacker full access to the application. In version 1.23.9, additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the `Origin` header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the `Origin` header is not present. Users can override this behavior by setting environment variable `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`.
Frequently asked questions
- What is CVE-2023-49805?
- Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the `Origin` header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application. Without origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vulnerabilities of the application. Users with "No-auth" mode configured who are relying on a reverse proxy or firewall to provide protection to the application would be especially vulnerable as it would grant the attacker full access to the application. In version 1.23.9, additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the `Origin` header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the `Origin` header is not present. Users can override this behavior by setting environment variable `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`.
- How severe is CVE-2023-49805?
- CVE-2023-49805 has a CVSS 3.x base score of 6.0, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability low.
- Is CVE-2023-49805 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (30th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-49805?
- CVE-2023-49805 primarily affects Dockge.kuma Dockge. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-49805?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-49805 published?
- CVE-2023-49805 was published on 2023-12-11 and last updated on 2026-06-17.
References
- https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9d8ced889e00e72899708220d184f
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-mj22-23ff-2hrr
Affected products (2)
- cpe:2.3:a:dockge.kuma:dockge:*:*:*:*:*:*:*:*
- cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*
More vulnerabilities in Dockge.kuma Dockge
- CVE-2023-49804 — Medium (CVSS 6.7): Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login…
All CVEs affecting Dockge.kuma Dockge →
Other CWE-346 vulnerabilities
- CVE-2026-42901 — Critical (CVSS 10.0): Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-6508 — Critical (CVSS 9.8): Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows…
- CVE-2026-2790 — Critical (CVSS 9.8): Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR…
- CVE-2022-50925 — Critical (CVSS 9.8): Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send…
- CVE-2025-30466 — Critical (CVSS 9.8): This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS…
- CVE-2024-8487 — Critical (CVSS 9.8): A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS…