top of page
perceptive_background_267k.jpg

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. U…

Published:

8 March 2026 at 23:00:00

Alert date:

9 March 2026 at 21:02:12

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Identity & Access

FreshRSS, a free self-hostable RSS aggregator, contains an authentication bypass vulnerability in versions prior to 1.28.0. The bug exists in the auth logic related to master authentication tokens, allowing the restriction to be bypassed. This vulnerability enables unauthorized access to private user feeds when anonymous viewing is enabled, when normally only the default user's feed should be viewable. The issue has been patched in version 1.28.0.

Technical details

Mitigation steps:

Affected products:

FreshRSS

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-62166
https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24
https://github.com/FreshRSS/FreshRSS/pull/8165
https://github.com/FreshRSS/FreshRSS/releases/tag/1.28.0
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w743-fg6g-mhwh

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page