Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or localhost, causing the Nextcloud server to perform server-side HTTP requests to attacker-controlled destinations, but not relaying the result. This enables blind SSRF, which can be used to scan or probe internal network services that are reachable from the Nextcloud server. This vulnerability is fixed in 28.3.0-beta.1.
AnalysisAI
Blind Server-Side Request Forgery in Nextcloud News prior to 28.3.0-beta.1 allows low-privileged authenticated users to weaponize the feed URL submission feature - available via both the web interface and API - to coerce the Nextcloud server into making outbound HTTP requests to attacker-specified internal or private IP ranges, including localhost. Response content is never relayed back to the attacker, constraining this to a reconnaissance primitive rather than a data-exfiltration channel. No public exploit has been identified at time of analysis, EPSS sits at 0.04% (12th percentile), and CISA has not listed this in KEV, collectively indicating a low-probability real-world exploitation scenario.
Technical ContextAI
Nextcloud News is a Nextcloud application (cpe:2.3:a:nextcloud:news:*:*:*:*:*:*:*:*) that implements an RSS and Atom feed aggregator. Its core function - fetching remote feed URLs on behalf of users - is executed server-side, meaning the Nextcloud server itself originates outbound HTTP requests. CWE-918 (Server-Side Request Forgery) manifests here because the application fails to validate or restrict submitted feed URLs against disallowed destination ranges such as RFC-1918 private address space (10.x.x.x, 172.16-31.x.x, 192.168.x.x), link-local addresses (169.254.x.x, commonly used for cloud instance metadata services), and loopback (127.0.0.1). The CVSS 4.0 vector (AV:N/AC:H/PR:L) indicates the attack surface is network-reachable but subject to high complexity conditions, consistent with the 'blind' nature of the SSRF - the attacker cannot read HTTP responses, limiting feedback to timing or error signals. Subsequent system impact metrics SC:L and SI:L reflect that internal service probing may have limited spillover effects on infrastructure beyond the Nextcloud instance itself.
RemediationAI
The vendor-released fix is Nextcloud News version 28.3.0-beta.1, which should be applied via the Nextcloud App Store or manual upgrade. The full advisory is available at https://github.com/nextcloud/news/security/advisories/GHSA-jcfr-rmj6-cpfj. Note that 28.3.0-beta.1 carries a beta designation - administrators in production environments should assess stability tolerance before deploying. As a compensating control prior to patching, configure host-level or network-level egress firewall rules on the Nextcloud server to block outbound connections to RFC-1918 address ranges, 127.0.0.0/8, and 169.254.0.0/16; this prevents the SSRF requests from reaching internal services even if submitted, with minimal impact on legitimate external feed fetching. A forward proxy enforcing destination allowlists for Nextcloud's outbound HTTP client provides defense-in-depth and survives application-level bypasses. Be aware that blocking private ranges will also prevent intentional use cases where internal Nextcloud-hosted feeds are subscribed to - assess whether such configurations exist before applying blanket blocks.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30333