CVE-2026-21885 is a Server-Side Request Forgery (SSRF) vulnerability identified in Miniflux version 2, an open-source feed reader. The vulnerability exists in the media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) prior to version 2.2.16. Authenticated users can exploit this endpoint to generate signed proxy URLs that cause the Miniflux server to fetch arbitrary URLs chosen by the attacker. This includes URLs pointing to internal network resources such as localhost, private IP ranges defined by RFC1918, or link-local metadata endpoints often used in cloud environments. By requesting the generated proxy URL, the attacker can retrieve responses from these internal resources, potentially exposing sensitive information or internal services that are not meant to be publicly accessible. The vulnerability requires authentication but no additional user interaction, making it a direct threat once credentials are obtained. The CVSS 3.1 base score is 6.5, indicating a medium severity with a high impact on confidentiality but no impact on integrity or availability. The issue was addressed and fixed in Miniflux version 2.2.16. There are no known exploits in the wild at the time of publication. The vulnerability stems from inadequate validation and filtering of URLs passed to the proxy endpoint, allowing SSRF attacks that can bypass network segmentation and firewall protections. This can lead to information disclosure from internal systems and cloud metadata services, which can be leveraged for further attacks.

For European organizations using vulnerable versions of Miniflux, this SSRF vulnerability poses a significant risk of internal network reconnaissance and data exposure. Attackers with valid user credentials can exploit the proxy endpoint to access internal services, including sensitive metadata endpoints in cloud environments (e.g., AWS, Azure, GCP). This can lead to leakage of confidential information such as internal IP addresses, service configurations, or credentials stored in metadata services. Although the vulnerability does not directly impact data integrity or system availability, the confidentiality breach can facilitate lateral movement, privilege escalation, or targeted attacks within the network. Organizations relying on Miniflux for internal or external feed aggregation should consider the risk of exposing internal infrastructure details and the potential for attackers to bypass perimeter defenses. The impact is heightened in environments with sensitive internal services or cloud deployments where metadata endpoints are critical. The requirement for authentication limits exposure to insiders or compromised accounts, but this does not eliminate the risk, especially in environments with weak credential management or phishing threats.

European organizations should immediately upgrade Miniflux to version 2.2.16 or later, where this SSRF vulnerability is fixed. Until the upgrade is applied, restrict access to the media proxy endpoint to trusted users only and monitor usage for suspicious activity. Implement network-level controls to limit Miniflux server outbound requests to only necessary external addresses, blocking access to internal IP ranges and cloud metadata endpoints. Employ strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Conduct regular audits of user accounts and permissions to ensure only authorized users have access to Miniflux. Additionally, consider deploying web application firewalls (WAFs) with rules to detect and block SSRF patterns targeting proxy endpoints. Monitor logs for unusual proxy URL generation or access patterns that may indicate exploitation attempts. Finally, educate users about the risks of credential phishing and enforce robust password policies to minimize the risk of unauthorized access.