CVE-2025-62166

HIGH

FreshRSS <1.28.0 - Auth Bypass

Title source: llm

Description

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

References (4)

[Patch] https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/FreshRSS/FreshRSS/pull/8165

[Release Notes] https://github.com/FreshRSS/FreshRSS/releases/tag/1.28.0

[Vendor Advisory] https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w743-fg6g-mhwh

Scores

CVSS v3 7.5

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-639 CWE-284

Status draft

Timeline

Published Mar 09, 2026

Tracked Since Mar 10, 2026