CVE-2026-44515 - Vulnerability Details

- Nextcloud News: Authenticated blind SSRF via feed URL

Description

Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or localhost, causing the Nextcloud server to perform server-side HTTP requests to attacker-controlled destinations, but not relaying the result. This enables blind SSRF, which can be used to scan or probe internal network services that are reachable from the Nextcloud server. This vulnerability is fixed in 28.3.0-beta.1.

Published: 2026-05-14

Score: 2.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Nextcloud News is an RSS/Atom feed reader that, before version 28.3.0‑beta.1, allows authenticated users to add arbitrary feed URLs. An attacker can supply a URL that points to internal or localhost network addresses, causing the server to perform a blind server‑side HTTP request to the supplied address without returning the response to the attacker. This permits internal network scanning and probing from the host running the Nextcloud server.

Affected Systems

The vulnerable component is the Nextcloud News app. All releases prior to 28.3.0‑beta.1 are affected; upgrading to 28.3.0‑beta.1 or later eliminates the flaw.

Risk and Exploitability

The CVSS score is 2.3 and the EPSS score is not available, indicating a low severity and uncertain exploitation probability. The vulnerability requires an authenticated session, so an attacker must first compromise user credentials. The flaw is not listed in CISA's KEV catalog. Once the feed URL is submitted, the attacker can discover or probe internal services that are reachable from the Nextcloud server, but cannot retrieve the response data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nextcloud

news

affected

Version	Status	Constraints
`< 28.3.0-beta.1`	affected	—

No data.

Vendor Product Confidence Versions

Nextcloud

News

100%

Version	Status	Scheme	Platform
`[0,28.3.0-beta.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Nextcloud News app to version 28.3.0‑beta.1 or newer.
If an immediate upgrade is not possible, disable the ability for authenticated users to add feeds or restrict accepted feed URLs to only external, whitelisted domains.
Monitor the server for unexpected outbound HTTP requests to internal addresses, and consider logging or alerting on such activity.

Generated by OpenCVE AI on May 14, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/nextcloud/news/security/advisories/GHSA-jcfr-rmj6-cpfj

History

Thu, 14 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nextcloud Nextcloud news
Vendors & Products		Nextcloud Nextcloud news

Thu, 14 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or localhost, causing the Nextcloud server to perform server-side HTTP requests to attacker-controlled destinations, but not relaying the result. This enables blind SSRF, which can be used to scan or probe internal network services that are reachable from the Nextcloud server. This vulnerability is fixed in 28.3.0-beta.1.
Title		Nextcloud News: Authenticated blind SSRF via feed URL
Weaknesses		CWE-918
References		https://github.com/nextcloud/news/security/advisories/GHSA-jcfr-rmj6-cpfj
Metrics		cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

Subscriptions

Nextcloud News

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-14T16:36:11.860Z

Updated: 2026-05-14T21:32:18.181Z

Reserved: 2026-05-06T18:28:20.887Z

Link: CVE-2026-44515

Vulnrichment

Updated: 2026-05-14T18:36:27.098Z

NVD

Status : Deferred

Published: 2026-05-14T17:16:23.197

Modified: 2026-05-14T18:31:45.970

Link: CVE-2026-44515

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T18:45:26Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object