CVE-2026-56772
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
NewsBlur before version 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notifications by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification.
Risk Assessment
Attackers can access other users' social activity, leading to privacy violations and potential data leaks.
Recommendation
It is recommended to upgrade to version 14.5.0 or later to mitigate this vulnerability and implement additional access verification mechanisms.
Original NVD description (English source)
NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.

