Description
NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.
Published: 2026-06-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NewsBlur versions prior to 14.5.0 contain a server‑side request forgery flaw in the add_url endpoint that permits authenticated users to send requests to arbitrary URLs without proper validation of target addresses. This omission lets attackers reach internal hosts, including localhost services and cloud metadata endpoints, thereby exposing internal network scanners and sensitive data for exfiltration.

Affected Systems

All NewsBlur releases before version 14.5.0, maintained by Samuel Clay, are vulnerable. The issue was addressed in the 14.5.0 release, which includes input validation to block internal requests.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated user; however, once authenticated the attacker can conduct internal reconnaissance and, with sufficient access, exfiltrate confidential data. The lack of a firewall or network segmentation may increase the risk of broader compromise.

Generated by OpenCVE AI on June 25, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NewsBlur 14.5.0 or later immediately to apply the fixed input validation.
  • Limit or disable the add_url endpoint for unauthenticated or low‑privilege accounts to reduce the attack surface.
  • Configure network segmentation or firewall rules to block outbound requests from the NewsBlur service to private IP ranges, thereby preventing internal reconnaissance.

Generated by OpenCVE AI on June 25, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Samuelclay
Samuelclay newsblur
Vendors & Products Samuelclay
Samuelclay newsblur

Fri, 26 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.
Title NewsBlur < 14.5.0 - Server-Side Request Forgery via add_url Endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N'}


Subscriptions

Samuelclay Newsblur
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:34:21.445Z

Reserved: 2026-06-23T01:22:22.571Z

Link: CVE-2026-56771

cve-icon Vulnrichment

Updated: 2026-06-26T02:16:18.405Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:40Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)