Server-Side Request Forgery Vulnerability in NewsBlur by Samuel Clay
CVE-2026-56771

6.3MEDIUM

Key Information:

Vendor: Samuelclay
Status: Newsblur
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-56771?

NewsBlur versions before 14.5.0 contain a vulnerability in the add_url endpoint, allowing authenticated users to exploit server-side request forgery. This flaw permits attackers to make unauthorized requests to internal networks by bypassing filters for private IP addresses. As a consequence, malicious actors can gain access to localhost services and cloud metadata endpoints, thereby facilitating internal network scanning and potential exfiltration of sensitive data.

Affected Version(s)

NewsBlur 0 < 14.5.0

References

https://github.com/samuelclay/NewsBlur/releases/tag/Andro...

release-notes

https://github.com/samuelclay/NewsBlur/commit/2e6c6812c94...

patch

https://github.com/samuelclay/NewsBlur/commit/af742daeca7...

patch

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 23, 2026

Credit

George Chen

CVE-2026-56771 Data

JSON

Samuelclay

What is CVE-2026-56771?

Affected Version(s)

References

CVSS V4

Timeline

Credit