CVE Catalog

CVE-2026-56772

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

NewsBlur before version 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notifications by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification.

Risk Assessment

Attackers can access other users' social activity, leading to privacy violations and potential data leaks.

Recommendation

It is recommended to upgrade to version 14.5.0 or later to mitigate this vulnerability and implement additional access verification mechanisms.

Original NVD description (English source)

NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS