CVE-2026-21885
Unknown Unknown - Not Provided
SSRF Vulnerability in Miniflux 2 Media Proxy Endpoint

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21885
EUVD
EUVD-2026-1186
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
miniflux miniflux to 2.2.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users to perform SSRF attacks that can access sensitive internal network resources, leading to high confidentiality loss. Such unauthorized access to sensitive data could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized data disclosure. Therefore, organizations using vulnerable versions of Miniflux may face compliance risks due to potential exposure of protected information. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Miniflux to version 2.2.16 or later, where the vulnerability is fixed by restricting target hosts/IPs for proxy requests. If upgrading is not immediately possible, consider disabling the media proxy feature by changing the MEDIA_PROXY_MODE configuration to disable or restricting access to the /proxy/ endpoint to trusted users only. Additionally, monitor and restrict authenticated user actions to prevent abuse of the proxy endpoint. [1]

Executive Summary

CVE-2026-21885 is a Server-Side Request Forgery (SSRF) vulnerability in Miniflux versions 2.2.15 and earlier. It affects the media proxy endpoint, which generates signed proxy URLs for media content in feed entries. Although the proxy validates URL schemes and signatures, it does not restrict target hosts or IP addresses, allowing an authenticated user to make the server fetch internal network resources such as localhost or private IP ranges. This means an attacker with a valid Miniflux account can access sensitive internal resources by embedding malicious media URLs in feeds. [1]

Impact Analysis

This vulnerability can lead to a high confidentiality loss because an attacker with a valid Miniflux account can access sensitive internal network resources that are normally inaccessible from outside. This unauthorized data access could expose internal services, metadata endpoints, or other protected information. However, it does not affect data integrity or availability. [1]

Detection Guidance

To detect this vulnerability, you can check if your Miniflux instance is running a version prior to 2.2.16 and if the media proxy endpoint (/proxy/{encodedDigest}/{encodedURL}) is accessible. Monitoring HTTP requests to the /proxy/ endpoint for unusual or internal IP address patterns (e.g., localhost, RFC1918 ranges, or link-local addresses like 169.254.169.254) can indicate exploitation attempts. Commands such as 'curl' or 'wget' can be used to test the proxy endpoint manually by crafting requests to internal addresses via the proxy URL. Additionally, reviewing access logs for requests to /proxy/ with suspicious encoded URLs may help detect exploitation. For example, using grep on server logs: grep '/proxy/' /path/to/access.log | grep -E 'localhost|127.0.0.1|169.254.169.254|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.' [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21885. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart