Home

Description

NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.

PUBLISHED Reserved 2026-06-23 | Published 2026-06-25 | Updated 2026-06-26 | Assigner VulnCheck




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N

HIGH: 8.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Problem types

Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

Any version before 14.5.0
affected

Credits

George Chen finder

References

github.com/samuelclay/NewsBlur/releases/tag/Android_14.5.0 (Release Notes) release-notes

github.com/...ommit/2e6c6812c94f35a731bda864de5aef39f18307f1 (Patch Commit (1)) patch

github.com/...ommit/af742daeca7cc6c8b0d58cbea381e7bc44daa520 (Patch Commit (2)) patch

www.vulncheck.com/...de-request-forgery-via-add-url-endpoint third-party-advisory

cve.org (CVE-2026-56771)

nvd.nist.gov (CVE-2026-56771)

Download JSON