### Vulnerability Key Information - **Vulnerability Type**: SSRF (Server-Side Request Forgery) - **Affected Versions**: <= 2.2.15 - **Fixed Version**: 2.2.16 - **Vulnerability ID**: CVE-2026-21885 - **Vulnerability Description**: - The media proxy endpoint `/proxy/{encodedDigest}/{encodedURL}` in Miniflux can be abused to perform Server-Side Request Forgery (SSRF). - Authenticated users can generate signed proxy URLs pointing to media URLs chosen by the attacker, which can be embedded in feed item content, including internal addresses. - Requests to the generated `/proxy/...` URLs cause Miniflux to fetch and return responses from internal targets. - **Risk Level**: Medium (CVSS v3.1 Base Score: 6.5) - **Vulnerability Details**: - **Vulnerable Route**: GET `/proxy/{encodedDigest}/{encodedURL}` (accessible without authentication, but requires an HMAC-signed URL generated by the server) - **Trigger Condition**: Feed item content is rewritten to include proxy media URLs, such as those generated via `mediaproxy.RewriteDocumentWithAbsoluteProxyURL(...)`, resulting in `/proxy/...` URLs. - **Root Cause**: The proxy validates URL patterns and HMAC signatures, but does not restrict the target host/IP. - **Impact Scope**: - Attackers can access internal resources reachable by the Miniflux server, such as localhost services, private network services, and link-local endpoints, potentially exposing sensitive data. - **CVE Details**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - **Disclosure Information**: - Reporter: eclipse07077-ljw - Contact: jeongwoolee340@gmail.com