CVE-2026-21885: The Call is Coming from Inside the House: Unrestricted SSRF in Miniflux

The Call is Coming from Inside the House: Unrestricted SSRF in Miniflux

Vulnerability ID: CVE-2026-21885
CVSS Score: 6.5
Published: 2026-01-07

A logic flaw in Miniflux's media proxy allows authenticated users to turn the server against itself, probing internal networks and cloud metadata services via Server-Side Request Forgery (SSRF).

TL;DR

Miniflux's media proxy feature, designed to protect user privacy, failed to validate destination IP addresses. Authenticated attackers can trick the server into fetching internal resources (like AWS metadata or local admin panels) by embedding malicious URLs in RSS feeds. Fixed in version 2.2.16.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-918
• Attack Vector: Network
• CVSS: 6.5 (Medium)
• Privileges: Low (Authenticated)
• Impact: High Confidentiality Loss
• Exploit Status: Proof of Concept

Affected Systems

• Miniflux v2
• Miniflux: <= 2.2.15 (Fixed in: 2.2.16)

Exploit Details

• GitHub Advisory: Advisory containing exploit methodology

Mitigation Strategies

• Disable Media Proxy if patching is not possible immediately.
• Network segmentation: Ensure the Miniflux container cannot reach sensitive internal endpoints.

Remediation Steps:

1. Pull the latest docker image: docker pull miniflux/miniflux:latest
2. Restart the container.
3. Verify the version is >= 2.2.16 in the footer or settings.

References

• GHSA-xwh2-742g-w3wp
• Miniflux News

---

Read the full report for CVE-2026-21885 on our website for more details including interactive diagrams and full exploit analysis.