Skip to main content

Nextcloud News EUVDEUVD-2026-30333

| CVE-2026-44515 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-14 GitHub_M
2.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 26, 2026 - 21:29 vuln.today
Patch available
May 14, 2026 - 18:02 EUVD
CVSS changed
May 14, 2026 - 17:22 NVD
2.3 (LOW)

DescriptionGitHub Advisory

Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or localhost, causing the Nextcloud server to perform server-side HTTP requests to attacker-controlled destinations, but not relaying the result. This enables blind SSRF, which can be used to scan or probe internal network services that are reachable from the Nextcloud server. This vulnerability is fixed in 28.3.0-beta.1.

AnalysisAI

Blind Server-Side Request Forgery in Nextcloud News prior to 28.3.0-beta.1 allows low-privileged authenticated users to weaponize the feed URL submission feature - available via both the web interface and API - to coerce the Nextcloud server into making outbound HTTP requests to attacker-specified internal or private IP ranges, including localhost. Response content is never relayed back to the attacker, constraining this to a reconnaissance primitive rather than a data-exfiltration channel. No public exploit has been identified at time of analysis, EPSS sits at 0.04% (12th percentile), and CISA has not listed this in KEV, collectively indicating a low-probability real-world exploitation scenario.

Technical ContextAI

Nextcloud News is a Nextcloud application (cpe:2.3:a:nextcloud:news:*:*:*:*:*:*:*:*) that implements an RSS and Atom feed aggregator. Its core function - fetching remote feed URLs on behalf of users - is executed server-side, meaning the Nextcloud server itself originates outbound HTTP requests. CWE-918 (Server-Side Request Forgery) manifests here because the application fails to validate or restrict submitted feed URLs against disallowed destination ranges such as RFC-1918 private address space (10.x.x.x, 172.16-31.x.x, 192.168.x.x), link-local addresses (169.254.x.x, commonly used for cloud instance metadata services), and loopback (127.0.0.1). The CVSS 4.0 vector (AV:N/AC:H/PR:L) indicates the attack surface is network-reachable but subject to high complexity conditions, consistent with the 'blind' nature of the SSRF - the attacker cannot read HTTP responses, limiting feedback to timing or error signals. Subsequent system impact metrics SC:L and SI:L reflect that internal service probing may have limited spillover effects on infrastructure beyond the Nextcloud instance itself.

RemediationAI

The vendor-released fix is Nextcloud News version 28.3.0-beta.1, which should be applied via the Nextcloud App Store or manual upgrade. The full advisory is available at https://github.com/nextcloud/news/security/advisories/GHSA-jcfr-rmj6-cpfj. Note that 28.3.0-beta.1 carries a beta designation - administrators in production environments should assess stability tolerance before deploying. As a compensating control prior to patching, configure host-level or network-level egress firewall rules on the Nextcloud server to block outbound connections to RFC-1918 address ranges, 127.0.0.0/8, and 169.254.0.0/16; this prevents the SSRF requests from reaching internal services even if submitted, with minimal impact on legitimate external feed fetching. A forward proxy enforcing destination allowlists for Nextcloud's outbound HTTP client provides defense-in-depth and survives application-level bypasses. Be aware that blocking private ranges will also prevent intentional use cases where internal Nextcloud-hosted feeds are subscribed to - assess whether such configurations exist before applying blanket blocks.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

EUVD-2026-30333 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy