Description
Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue.
Published: 2026-01-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Access to Internal Network Resources
Action: Patch
AI Analysis

Impact

The flaw is a Server‑Side Request Forgery in the media proxy endpoint that an authenticated user can exploit to force Miniflux to fetch arbitrary URLs. Because the endpoint accepts any encoded URL, an attacker can target internal IPs, including localhost, RFC1918 addresses, or link‑local cloud metadata services. The proxy then returns the fetched content, enabling reading of internal resources and potentially gleaning credentials or other sensitive information.

Affected Systems

Miniflux version 2 before 2.2.16 is affected. The vulnerability is present in Miniflux v2 and has been fixed in release 2.2.16, which replaces the media proxy logic to reject internal addresses.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity level. The EPSS score is less than 1%, implying a low probability that the flaw will be exploited in the wild at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user to generate a proxy URL, and once the URL is accessed the server contacts the target address, making the attack vector internal to the application. Attacks that succeed could expose internal services and data, but would not grant direct execution or privilege escalation on the host itself. The combination of moderate severity and low exploitation probability suggests that while monitoring is advisable, immediate actions such as patching are recommended.

Generated by OpenCVE AI on April 18, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Miniflux to version 2.2.16 or newer, which removes the ability to target internal addresses via the media proxy.
  • If a patch is not immediately deployable, block external access to the /proxy/* endpoint or disable that endpoint in the application's configuration to prevent SSRF requests.
  • Configure network segmentation so that the Miniflux server resides on a subnet that does not contain critical internal services, mitigating the impact of any future SSRF exploitation.

Generated by OpenCVE AI on April 18, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xwh2-742g-w3wp Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources
History

Mon, 12 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Miniflux Project
Miniflux Project miniflux
CPEs cpe:2.3:a:miniflux_project:miniflux:*:*:*:*:*:go:*:*
Vendors & Products Miniflux Project
Miniflux Project miniflux

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Description Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue.
Title Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Miniflux Project Miniflux
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T15:55:28.121Z

Reserved: 2026-01-05T17:24:36.928Z

Link: CVE-2026-21885

cve-icon Vulnrichment

Updated: 2026-01-08T14:52:37.831Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T14:15:57.257

Modified: 2026-01-12T16:55:42.353

Link: CVE-2026-21885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses