Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
FreshRSS: Anonymous users can view other users' feeds
CVE-2025-62166
Summary
A bug in the authentication system of FreshRSS allowed anonymous users to view feeds that should be private. This has been fixed in version 1.28.0, so upgrade to this version to prevent unauthorized access to your users' feeds.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| freshrss | freshrss | <= 1.28.0 | – |
Original title
FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed s...
Original description
FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.
nvd CVSS3.1
7.5
Vulnerability type
CWE-284
Improper Access Control
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026