CVE-2026-56772
NewsBlur < 14.5.0 - Insecure Direct Object Reference in Social Interactions Endpoint
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.
| CWE | CWE-639 |
| Vendor | samuelclay |
| Product | newsblur |
| Published | Jun 25, 2026 |
| Last Updated | Jun 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for samuelclay newsblur
Be the first to know when new medium vulnerabilities affecting samuelclay newsblur are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
samuelclay / NewsBlur
0 < 14.5.0
References
github.com: https://github.com/samuelclay/NewsBlur/releases/tag/Android_14.5.0 github.com: https://github.com/samuelclay/NewsBlur/commit/613c60b67cc46b3f4cae1dc2dfd8d717a39bc483 vulncheck.com: https://www.vulncheck.com/advisories/newsblur-insecure-direct-object-reference-in-social-interactions-endpoint
Credits
George Chen