eastbaycyber

CVE-2026-36044: Uptime Kuma Trusted Proxy Bypass via Malformed X-Forwarded-For

CVE explainers 11 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2023-10-01
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-36044
CVSS v3.1 10.0 Critical
Attack vector Network
Authentication required None
Patch status Fixed in 2.0.0-beta.4 and later

TL;DR - Critical Uptime Kuma flaw lets attackers spoof client IPs via malformed X-Forwarded-For. - Affects versions before 2.0.0-beta.4; upgrade and sanitize proxy headers. - No confirmed in-the-wild exploitation cited, but treat internet-exposed instances as urgent.

What This Vulnerability Means in Practice

CVE-2026-36044 is a critical vulnerability in Uptime Kuma caused by improper validation of proxy-forwarded client IP data. According to the advisory and NVD description, the issue affects Uptime Kuma versions before 2.0.0-beta.4. The flaw allows an attacker to bypass trusted proxy checks by sending a malformed X-Forwarded-For header, which can make the application misidentify the request’s source IP.

That matters because many deployments place Uptime Kuma behind reverse proxies and rely on forwarded headers to preserve the original client address. If the application trusts those headers without correctly parsing and validating each hop, the attacker can inject a crafted value that appears to come from a trusted source. In the vulnerable logic, the application reportedly used an endsWith() check against the entire header string instead of validating the individual comma-separated IP entries. That is a classic proxy trust failure: the application trusts user-controlled metadata as if it were proxy-generated truth.

The advisory’s impact statement is especially important: this is not automatically remote code execution in every environment. The CVSS score is 10.0, and the NVD description says the issue can lead to remote code execution on servers that trust the client IP for authentication and support local file inclusion or code execution based on that IP. In other words, the trusted proxy bypass is the primitive; the full impact depends on how the deployment uses client IP as a security decision point.

For defenders, the practical takeaway is simple: if your Uptime Kuma instance is internet-facing, behind a reverse proxy, or integrated with any access control logic that relies on client IP, assume exposure until you validate the version and proxy configuration. Even if your exact deployment would not reach code execution, IP spoofing alone can still undermine allowlists, auditing, rate limiting, or admin-only logic.

Exploitation Status: What Is Known and What Is Not

Based on the provided sources, CISA KEV does not list CVE-2026-36044, so there is no CISA-confirmed evidence of exploitation in the wild at this time. That is useful context, but it should not be interpreted as proof of safety. KEV absence means only that the vulnerability is not currently on that catalog; it does not guarantee that exploitation attempts are not occurring.

As for public exploit code, the current research note says no separate public PoC repository was identified from the referenced materials. The GitHub Security Advisory and the fix commit do provide enough technical context to understand the vulnerability mechanism, including the flawed trusted proxy handling and the remediation approach. That means competent researchers or attackers may still be able to reproduce the issue even without a polished public exploit release.

For incident response teams, the correct wording today is: there is no confirmed in-the-wild exploitation cited in the provided sources, and no verified public PoC URL was identified in those sources. In the absence of confirmed exploitation data, defenders should assume opportunistic probing is possible because the vulnerability is remotely reachable, requires no authentication, and has a very high severity rating.

The operational implication is urgency, not panic. Patch quickly, review logs for suspicious forwarded-header activity, and validate reverse-proxy header sanitation. A vulnerability that enables client IP spoofing in a proxied environment is often easy to test once the weakness is understood, so exposure windows should be minimized.

AnalystImpact · assess the risk

Affected Versions and Exposure Scope

The affected product is Uptime Kuma, maintained under louislam/uptime-kuma. The published version information states that all versions before 2.0.0-beta.4 are affected. The fixed version is explicitly listed as 2.0.0-beta.4 or later. If you are running anything older than that fixed release, you should treat the instance as vulnerable until updated.

Because the version range is stated as “before 2.0.0-beta.4”, defenders should avoid guessing whether only selected branches are impacted. If your deployment reports an earlier build, older beta, custom package, or image tag that maps to code prior to 2.0.0-beta.4, the safe operational assumption is that it is affected. If you cannot reliably determine the running build from your deployment tooling, compare the application image tag, package metadata, or Git commit against the patched release and commit history.

The vulnerability is especially relevant where Uptime Kuma sits behind common reverse proxies such as Nginx, Traefik, HAProxy, Apache HTTP Server, or container ingress controllers that populate X-Forwarded-* headers. Those setups are normal and often necessary, but they also create a trust boundary that must be enforced correctly. If the edge proxy forwards user-supplied X-Forwarded-For values without stripping and rewriting them, the attacker may be able to influence what the application believes is the real client IP.

If some deployment facts are unknown, say so internally and plan around worst case. For example, if you do not know whether your edge proxy strips incoming forwarding headers, assume it may not. If you do not know whether any access control logic depends on client IP, assume spoofing could have security consequences. This is preferable to underestimating the blast radius of a header trust bug.

Risk Analysis for Admins and Security Teams

The vulnerable behavior stems from insufficient verification of data authenticity (CWE-345). Specifically, Uptime Kuma reportedly performed an endsWith() check on the entire X-Forwarded-For string rather than parsing and validating each IP entry individually. Since X-Forwarded-For commonly contains a comma-separated chain of addresses representing client and proxy hops, validating the raw string as a whole is not reliable.

An attacker can exploit this by crafting malformed or manipulated header values that satisfy the application’s trust logic even though the true sender is untrusted. Once the application accepts the spoofed IP, any downstream logic that treats the client address as a security signal can be bypassed. Examples include access restrictions intended for localhost or internal networks, administrative features exposed only to trusted source ranges, or application behaviors that become dangerous when invoked from “local” clients.

The advisory goes further and warns that this can lead to remote code execution in certain deployments. That qualifier matters. The CVSS reflects worst-case impact, but real-world exploitability depends on what sits behind the spoofed trust decision. If your deployment does not use client IP to gate dangerous functionality, your immediate risk may be lower than the maximum score suggests. But if you do use IP-based trust controls anywhere in the stack, you should treat the issue as a potential path to full compromise.

This also has implications beyond direct exploitation. Because the client IP may be forged from the application’s perspective, logs, alerts, and forensics may be misleading. Security analysts should be careful not to assume that a logged internal-looking source address reflects the real origin of the request if those records were derived from unsafely trusted forwarding headers.

Bottom Line

CVE-2026-36044 is a critical header trust vulnerability in Uptime Kuma versions before 2.0.0-beta.4. The flaw allows attackers to spoof client IPs by abusing malformed X-Forwarded-For data, potentially undermining any security decision that relies on trusted source addresses. In some deployments, that can escalate to remote code execution.

The immediate actions are straightforward: upgrade to 2.0.0-beta.4 or later, ensure your reverse proxy strips and rewrites untrusted X-Forwarded-* headers, and hunt for suspicious forwarded-header values in logs. There is no confirmed in-the-wild exploitation cited in the provided sources and no separately verified public PoC URL identified there, but the severity and low barrier to testing make this an issue to close quickly.

For further reading on related vulnerabilities, check out our articles on CVE-2026-8775 and What is CSRF and How Do I Prevent It?.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

ResponderRunbook · act now

Detection and Hunting Guidance

Start by inventorying where Uptime Kuma is deployed and whether it is behind a reverse proxy. Then determine whether incoming requests can carry user-controlled X-Forwarded-For headers to the application unchanged. If they can, and the instance runs a version before 2.0.0-beta.4, you should prioritize that system for immediate patching and review.

For detection, look for suspicious X-Forwarded-For values that contain multiple hops, malformed formatting, unexpected delimiters, or internal addresses originating from public clients. This is not proof of exploitation by itself, because forwarded headers are normal in proxied environments. The signal comes from combinations such as internet-facing source connections paired with X-Forwarded-For values claiming loopback, RFC1918 space, or unusual appended strings intended to influence string matching behavior.

Also review any authentication, admin-action, or privileged application events where the logged client IP appears internal, localhost, or trusted, especially if the corresponding TCP source address at the reverse proxy does not match that trust assumption. Correlate reverse-proxy access logs with application logs. If the edge saw a public source IP but the app attributed the action to 127.0.0.1, ::1, or an internal range through forwarding headers, investigate further.

Technical Notes

Example suspicious log patterns to hunt for in reverse-proxy logs:

X-Forwarded-For: 127.0.0.1
X-Forwarded-For: ::1
X-Forwarded-For: 10.0.0.5
X-Forwarded-For: 203.0.113.45, 127.0.0.1
X-Forwarded-For: 198.51.100.22, ::1
X-Forwarded-For: attacker, 127.0.0.1

Example grep-based triage on Nginx or generic access logs if forwarded headers are logged:

grep -E 'X-Forwarded-For: (127.0.0.1|::1|10.|172.(1[6-9]|2[0-9]|3[0-1]).|192.168.)' /var/log/nginx/access.log

Example Splunk query to find suspicious internal or loopback claims in X-Forwarded-For:

index=proxy_logs ("X-Forwarded-For"=* )
| eval xff=coalesce(http_x_forwarded_for, x_forwarded_for, request_headers{}.x_forwarded_for)
| search xff="*127.0.0.1*" OR xff="*::1*" OR xff="*10.*" OR xff="*192.168.*" OR xff="*172.16.*" OR xff="*172.17.*" OR xff="*172.18.*" OR xff="*172.19.*" OR xff="*172.2*"
| stats count by src_ip, xff, uri, status

If you have Suricata or similar network inspection at the edge, a simple hunt for inbound requests already carrying forwarding headers can help identify clients attempting header injection:

alert http any any -> $HOME_NET any (msg:"Inbound request with X-Forwarded-For header"; http.header; content:"X-Forwarded-For|3a|"; nocase; sid:3604401; rev:1;)

This is a noisy hunting rule, not a production-grade signature on its own. Tune it to only alert on direct internet-originated traffic where clients should never be supplying forwarding headers.

Mitigation and Patching

The primary fix is to upgrade Uptime Kuma to 2.0.0-beta.4 or later. That release changes proxy header handling so that individual IP entries are parsed and validated correctly instead of applying a string-suffix check to the whole header. If you are running any version before 2.0.0-beta.4, remediation should be scheduled immediately.

If immediate upgrade is not possible, the documented workaround is to strip untrusted X-Forwarded-* headers at the front-end reverse proxy and overwrite them with sanitized values. That means the proxy must discard whatever the client sends for X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto, then set fresh values based on the proxy’s own trusted view of the connection. This does not replace patching, but it reduces exposure by restoring a clean trust boundary.

You should also review whether any Uptime Kuma or surrounding-stack logic uses client IP for access control, localhost trust, admin gating, or feature enablement. If it does, remove or harden that dependence where possible. IP-based trust is especially fragile in multi-proxy and cloud ingress environments unless every hop is explicitly controlled and validated.

Finally, validate the fix operationally. After upgrading, send a test request with a forged X-Forwarded-For header through the edge and confirm that either the header is sanitized by the proxy or the application no longer accepts a spoofed trusted origin. Patch management is not complete until the behavior is verified.

Technical Notes

Example Docker upgrade workflow for Uptime Kuma:

docker pull louislam/uptime-kuma:2.0.0-beta.4
docker stop uptime-kuma
docker rm uptime-kuma
docker run -d \
  --name uptime-kuma \
  -p 3001:3001 \
  -v uptime-kuma:/app/data \
  --restart=always \
  louislam/uptime-kuma:2.0.0-beta.4

If you use Docker Compose, update the image tag and redeploy:

services:
  uptime-kuma:
    image: louislam/uptime-kuma:2.0.0-beta.4
    ports:
      - "3001:3001"
    volumes:
      - uptime-kuma:/app/data
    restart: always
docker compose pull
docker compose up -d

Example Nginx hardening to discard client-supplied forwarding headers and set sanitized values:

location / {
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host;
    proxy_pass http://uptime_kuma;
}

Example HAProxy approach to overwrite forwarded client data:

http-request del-header X-Forwarded-For
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Proto https if { ssl_fc }

If your exact package manager or deployment method is unknown, do not improvise a risky upgrade in production. Instead, determine whether you are using Docker, Compose, a Helm chart, or a source-based deployment, then map the installed version to 2.0.0-beta.4 or later before making changes.

References

The two primary references published for this CVE are the GitHub Security Advisory and the fix commit, both of which align on the product, affected versions, and remediation guidance. These should be your source of truth when validating that your deployment is patched and when reviewing what changed in the trust handling logic.

Additional context from the NVD record confirms the CVSS 10.0 rating, the CWE-345 classification, and the specific impact wording around client IP spoofing and possible RCE in certain server configurations. Since details beyond these references may evolve after publication, defenders should monitor the project’s release notes and advisory updates for any revised guidance or additional hardening recommendations.

Last verified: 2023-10-01

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.