What is CVE-2026-21885?

### Summary Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. ### Details - **Vulnerable route**: `GET /proxy/{encodedDigest}/{encodedURL}` (accessible without authentication, but requires a server-generated HMAC-signed URL) - **Handler**: `internal/ui/proxy.go` (`(*handler).mediaProxy`) - **Trigger**: entry content is rewritten to proxy media URLs (e.g., `mediaproxy.RewriteDocumentWithAbsoluteProxyURL(...)`), producing signed `/proxy/...` URLs. - **Root cause**: the proxy validates the URL scheme and HMAC signature, but does not restrict target hosts/IPs. As a result, requests to loopback/private/link-local addresses are allowed and fetched by the server. ### PoC 1) Run Miniflux 2.2.15 with default configuration (media proxy enabled by default: `MEDIA_PROXY_MODE=http-only`). 2) Log in with any normal user account. 3) Subscribe to a feed you control that contains an entry with an image URL pointing to an internal address reachable from the Miniflux server, e.g.: - ` /secret">` (Note: ` ` must be reachable *from the Miniflux process/network*; in containerized setups, `127.0.0.1` may not refer to the host.) 4) Open the entry and locate the rewritten media proxy URL (`/proxy/ / `) in the rendered HTML/page source. 5) Request the `/proxy/...` URL. Expected (vulnerable): Miniflux fetches the internal URL and returns the internal response (SSRF). ### Impact **Type**: SSRF (Server-Side Request Forgery) via media proxy **Who is impacted**: Miniflux instances with media proxy enabled (default configuration typically enables it for HTTP/mixed content handling). **Impact**: attackers with a valid Miniflux account can fetch internal resources reachable from the Miniflux server (e.g., localhost services, private network services, and link-local endpoints such as 169.254.169.254), potentially exposing sensitive data. ### Suggested CVSS (v3.1) `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` (Base 6.5) If there any questions or issues reproducing this, please contact: jeongwoolee340@gmail.com

What is the severity of CVE-2026-21885?

CVE-2026-21885 has a CVSS v3 score of 6.5, which is classified as Medium severity.

Is there an exploit available for CVE-2026-21885?

No known public exploits are currently available for CVE-2026-21885.

Is there a patch available for CVE-2026-21885?

Yes, patches are available for CVE-2026-21885. Check the vendor advisories for update instructions.

CVE-2026-21885 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v36.5

CVSS v20.0

Priority Score338.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

6.5

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Miniflux's media proxy endpoint (GET /proxy/{encodedDigest}/{encodedURL}) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting /proxy/... URL makes Miniflux fetch and return the internal response.

Details

Vulnerable route: GET /proxy/{encodedDigest}/{encodedURL} (accessible without authentication, but requires a server-generated HMAC-signed URL)
Handler: internal/ui/proxy.go ((*handler).mediaProxy)
Trigger: entry content is rewritten to proxy media URLs (e.g., mediaproxy.RewriteDocumentWithAbsoluteProxyURL(...)), producing signed /proxy/... URLs.
Root cause: the proxy validates the URL scheme and HMAC signature, but does not restrict target hosts/IPs. As a result, requests to loopback/private/link-local addresses are allowed and fetched by the server.

PoC

Run Miniflux 2.2.15 with default configuration (media proxy enabled by default: MEDIA_PROXY_MODE=http-only).
Log in with any normal user account.
Subscribe to a feed you control that contains an entry with an image URL pointing to an internal address reachable from the Miniflux server, e.g.:
- <img src="http://<internal-target>/secret"> (Note: <internal-target> must be reachable from the Miniflux process/network; in containerized setups, 127.0.0.1 may not refer to the host.)
Open the entry and locate the rewritten media proxy URL (/proxy/<encodedDigest>/<encodedURL>) in the rendered HTML/page source.
Request the /proxy/... URL. Expected (vulnerable): Miniflux fetches the internal URL and returns the internal response (SSRF).

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Local

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:Network

Availability:Network

Patch References

Security [email protected]