CVE-2026-21885
📋 TL;DR
Miniflux 2's media proxy endpoint can be abused by authenticated users to perform Server-Side Request Forgery (SSRF), allowing attackers to make the server fetch internal network resources. This affects all Miniflux 2 installations prior to version 2.2.16 where users can create or modify feed content. Attackers need authenticated access to exploit this vulnerability.
💻 Affected Systems
- Miniflux 2
📦 What is this software?
Miniflux by Miniflux Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, cloud metadata endpoints, or pivot to other internal systems, potentially leading to data exfiltration or further network compromise.
Likely Case
Attackers with authenticated access could probe internal networks, access internal web services, or retrieve cloud metadata containing credentials.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to accessing only authorized internal resources reachable from the Miniflux server.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated; SSRF techniques are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.16
Vendor Advisory: https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp
Restart Required: Yes
Instructions:
1. Backup your Miniflux database and configuration. 2. Stop the Miniflux service. 3. Update to version 2.2.16 using your package manager or by downloading from GitHub. 4. Restart the Miniflux service. 5. Verify the version is 2.2.16 or higher.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict Miniflux server's outbound network access to prevent SSRF to internal resources.
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
Authentication Hardening
allImplement strict access controls and monitor for suspicious authenticated user activity.
🧯 If You Can't Patch
- Implement strict network egress filtering to block Miniflux server access to internal RFC1918 addresses and metadata endpoints.
- Monitor proxy endpoint logs for unusual patterns and restrict user permissions for feed management.
🔍 How to Verify
Check if Vulnerable:
Check Miniflux version; if below 2.2.16, the system is vulnerable if authenticated users exist.Check Version:
miniflux --version or check web interface footerVerify Fix Applied:
Confirm Miniflux version is 2.2.16 or higher and test that proxy endpoint no longer accepts internal URLs.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /proxy/ endpoint with encoded internal IPs
- Multiple failed proxy requests from single user
Network Indicators:
- Miniflux server making outbound requests to internal IP ranges
- Requests to cloud metadata endpoints from Miniflux
SIEM Query:
source="miniflux" AND uri_path="/proxy/*" AND (dst_ip=10.0.0.0/8 OR dst_ip=172.16.0.0/12 OR dst_ip=192.168.0.0/16 OR dst_ip=169.254.169.254)