PT-2026-52546 · Samuelclay · Newsblur
George Chen
·
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-56772
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user id values to access another user's follows, replies, and social activity without authorization.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Newsblur