CVE-2026-21885
SSRF Vulnerability in Miniflux 2 Media Proxy Endpoint
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| miniflux | miniflux | to 2.2.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users to perform SSRF attacks that can access sensitive internal network resources, leading to high confidentiality loss. Such unauthorized access to sensitive data could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized data disclosure. Therefore, organizations using vulnerable versions of Miniflux may face compliance risks due to potential exposure of protected information. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Miniflux to version 2.2.16 or later, where the vulnerability is fixed by restricting target hosts/IPs for proxy requests. If upgrading is not immediately possible, consider disabling the media proxy feature by changing the MEDIA_PROXY_MODE configuration to disable or restricting access to the /proxy/ endpoint to trusted users only. Additionally, monitor and restrict authenticated user actions to prevent abuse of the proxy endpoint. [1]
Can you explain this vulnerability to me?
CVE-2026-21885 is a Server-Side Request Forgery (SSRF) vulnerability in Miniflux versions 2.2.15 and earlier. It affects the media proxy endpoint, which generates signed proxy URLs for media content in feed entries. Although the proxy validates URL schemes and signatures, it does not restrict target hosts or IP addresses, allowing an authenticated user to make the server fetch internal network resources such as localhost or private IP ranges. This means an attacker with a valid Miniflux account can access sensitive internal resources by embedding malicious media URLs in feeds. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a high confidentiality loss because an attacker with a valid Miniflux account can access sensitive internal network resources that are normally inaccessible from outside. This unauthorized data access could expose internal services, metadata endpoints, or other protected information. However, it does not affect data integrity or availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can check if your Miniflux instance is running a version prior to 2.2.16 and if the media proxy endpoint (/proxy/{encodedDigest}/{encodedURL}) is accessible. Monitoring HTTP requests to the /proxy/ endpoint for unusual or internal IP address patterns (e.g., localhost, RFC1918 ranges, or link-local addresses like 169.254.169.254) can indicate exploitation attempts. Commands such as 'curl' or 'wget' can be used to test the proxy endpoint manually by crafting requests to internal addresses via the proxy URL. Additionally, reviewing access logs for requests to /proxy/ with suspicious encoded URLs may help detect exploitation. For example, using grep on server logs: grep '/proxy/' /path/to/access.log | grep -E 'localhost|127.0.0.1|169.254.169.254|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.' [1]