Skip to main content

Newsblur

2 CVEs product

Monthly

CVE-2026-56772 MEDIUM PATCH This Month

Broken access control in NewsBlur before 14.5.0 exposes any authenticated user's private social notification feed - follows, replies, and social activity - to any other authenticated user. The GET /social/interactions endpoint accepts an arbitrary user_id parameter and returns that user's MInteraction records without verifying the requesting session owns the account, a classic CWE-639 IDOR. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity (any registered account suffices) makes the flaw trivially exploitable by any NewsBlur user against any other.

Authentication Bypass Newsblur
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56771 MEDIUM PATCH This Month

Server-side request forgery in NewsBlur's add_url endpoint allows any authenticated user to direct the server to issue arbitrary HTTP requests to private, loopback, or link-local addresses, including cloud instance metadata services. All NewsBlur deployments prior to version 14.5.0 (CPE: cpe:2.3:a:samuelclay:newsblur) are affected. An attacker with a valid account can supply a URL resolving to 169.254.169.254 or other internal addresses, enabling exfiltration of cloud provider IAM credentials and internal network reconnaissance. No public exploit identified at time of analysis, though patch commits are publicly available on GitHub and document the exact missing validation check.

SSRF Information Disclosure Newsblur
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken access control in NewsBlur before 14.5.0 exposes any authenticated user's private social notification feed - follows, replies, and social activity - to any other authenticated user. The GET /social/interactions endpoint accepts an arbitrary user_id parameter and returns that user's MInteraction records without verifying the requesting session owns the account, a classic CWE-639 IDOR. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity (any registered account suffices) makes the flaw trivially exploitable by any NewsBlur user against any other.

Authentication Bypass Newsblur
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery in NewsBlur's add_url endpoint allows any authenticated user to direct the server to issue arbitrary HTTP requests to private, loopback, or link-local addresses, including cloud instance metadata services. All NewsBlur deployments prior to version 14.5.0 (CPE: cpe:2.3:a:samuelclay:newsblur) are affected. An attacker with a valid account can supply a URL resolving to 169.254.169.254 or other internal addresses, enabling exfiltration of cloud provider IAM credentials and internal network reconnaissance. No public exploit identified at time of analysis, though patch commits are publicly available on GitHub and document the exact missing validation check.

SSRF Information Disclosure Newsblur
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy