CVE-2026-50884: Incorrect access control in statping-ng v0
Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Incorrect access control in statping-ng v0.93.0 allows an authenticated attacker to escalate their privileges to Administrator level. The vulnerability is reachable over the network and requires only a low-privilege account to exploit, with no victim interaction needed. Successful exploitation gives the attacker full administrative access to sensitive components, enabling data disclosure, configuration tampering, and potential service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-50884 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle statping-ng v0.93.0.
AvailableHarborGuard scores this finding at 8.8 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency; findings are then routed to the appropriate team inbox within each customer organization.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released, triggering the standard rebuild-and-PR flow for customers with auto-remediation enabled.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the statping-ng service over the network; there is no local-only restriction on the attack surface.
- AuthenticationRequired
A low-privilege account is sufficient; the attacker does not need administrator credentials to initiate the privilege escalation.
- Victim interactionNot required
No user interaction is needed; the attacker can exploit the access control flaw directly without social engineering.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- Attacker gains Administrator-level access to the statping-ng instance, reading all stored monitoring configuration, credentials, and status-page data.
- Attacker can modify or delete service monitors, status pages, and stored incident records.
- Attacker can access and exfiltrate any sensitive components exposed to the Administrator role, such as API keys or integration secrets.
- Attacker may disrupt monitoring availability by altering or removing service checks, masking real outages.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-50884 is active and will flag any image found to contain statping-ng v0.93.0. Because no upstream fix version exists, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix is published upstream. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. In the meantime, consider compensating controls such as network-policy rules that restrict access to the statping-ng service to known trusted CIDRs, egress filtering to limit lateral movement if the service is compromised, and review of which accounts hold credentials capable of reaching the service.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H