How to fix CVE-2025-62166?

Within 24 hours: Audit current RSS aggregator deployment version and document all instances running version 1.28.0 or earlier. Within 7 days: Implement network segmentation to restrict RSS aggregator access to authorized personnel only and enable detailed access logging. Within 30 days: Develop an upgrade plan for when patches become available and establish a vendor communication schedule for security updates.

Is Freshrss affected by CVE-2025-62166?

An improper access control vulnerability in self-hosted RSS aggregator versions up to 1.28.0 allows unauthorized users to access restricted functionality, potentially exposing sensitive feed data and configuration information.

CVE-2025-62166

HIGH

2026-03-09 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

CVE Published

Mar 09, 2026 - 20:16 nvd

HIGH 7.5

Description

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

Analysis

self-hostable RSS aggregator. versions up to 1.28.0 is affected by improper access control (CVSS 7.5).

Technical Context

This vulnerability (CWE-284: Improper Access Control) affects self-hostable RSS aggregator.. FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

Affected Products

Product: self-hostable RSS aggregator.. Versions: up to 1.28.0.

Remediation

Fixed in version 1.28.0.. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2025-62166 vulnerability details – vuln.today

Back

CVE-2025-62166

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-62166

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code