Access Control Flaw in NewsBlur by Samuel Clay
CVE-2026-56772

5.3MEDIUM

Key Information:

Vendor: Samuelclay
Status: Newsblur
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-56772?

NewsBlur prior to version 14.5.0 is vulnerable to a broken access control issue that permits authenticated users to exploit the system improperly. By manipulating the user_id parameter in the GET /social/interactions API endpoint, users can access the private notification feeds of others without proper authorization. This flaw particularly allows for the enumeration of user_id values, enabling attackers to gain insight into another user's follows, personal replies, and overall social activity, thereby compromising user privacy and security.

Affected Version(s)

NewsBlur 0 < 14.5.0

References

https://github.com/samuelclay/NewsBlur/releases/tag/Andro...

release-notes

https://github.com/samuelclay/NewsBlur/commit/613c60b67cc...

patch

https://www.vulncheck.com/advisories/newsblur-insecure-di...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 23, 2026

Credit

George Chen

CVE-2026-56772 Data

JSON

Samuelclay

What is CVE-2026-56772?

Affected Version(s)

References

CVSS V4

Timeline

Credit