Description
NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in NewsBlur versions older than 14.5.0 arises from a broken access control. The GET /social/interactions endpoint accepts a user_id parameter without verifying the requester owns that account. As a result, any authenticated user can retrieve the private notification feeds, followed users, replies, and other social activity of another user simply by supplying that user's ID. This is an example of CWE‑639, where a user can access data across ownership boundaries, leading to privacy breaches.

Affected Systems

This flaw affects the NewsBlur application supplied by Samuel Clay, specifically any deployment running a version earlier than 14.5.0. All clients – web, Android, or iOS – that expose the /social/interactions endpoint are potentially vulnerable if they have not applied the 14.5.0 release.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity impact, reflecting that exploitation requires the attacker to be authenticated. The EPSS score is not available, but the lack of listing in CISA's KEV catalog suggests no documented exploits at this time. Attackers who have valid credentials could enumerate user IDs and obtain sensitive notification data through repeated calls to the endpoint. The vulnerability is plausible for any user who can log in, so the risk is elevated in environments with many authenticated users.

Generated by OpenCVE AI on June 25, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NewsBlur to version 14.5.0 or later, which removes the broken ownership validation on the /social/interactions endpoint.
  • If immediate upgrading is not possible, consider disabling or restricting access to the /social/interactions endpoint until the patch can be applied.
  • If upgrading cannot be performed promptly, use network-level firewall rules to block external access to the /social/interactions endpoint until the patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Samuelclay
Samuelclay newsblur
Vendors & Products Samuelclay
Samuelclay newsblur

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.
Title NewsBlur < 14.5.0 - Insecure Direct Object Reference in Social Interactions Endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Samuelclay Newsblur
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:34:22.122Z

Reserved: 2026-06-23T01:22:22.571Z

Link: CVE-2026-56772

cve-icon Vulnrichment

Updated: 2026-06-25T18:30:53.263Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:39Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key