Cyber Resilience

CVE-2025-62166

HighPublic PoC

Published: 09 March 2026

Published
09 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0024 46.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62166 is a high-severity Improper Access Control (CWE-284) vulnerability in Freshrss Freshrss. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-62166 is a vulnerability in FreshRSS, a free, self-hostable RSS aggregator, affecting versions prior to 1.28.0. The issue stems from a bug in the authentication logic related to master authentication tokens, which allows bypassing restrictions on feed visibility. Normally, when anonymous viewing is enabled, only the default user's feeds are accessible, while feeds belonging to other users remain private. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed master token handling, they can view private feeds of non-default users, resulting in high confidentiality impact without affecting integrity or availability.

The vulnerability was fixed in FreshRSS version 1.28.0, as detailed in the project's GitHub security advisory (GHSA-w743-fg6g-mhwh), the corresponding pull request (#8165), and the release notes. Security practitioners should upgrade to 1.28.0 or later and review configurations for anonymous viewing to mitigate exposure. The patching commit is available at https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24.

EU & UK References

Vulnerability details

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds…

more

of other users should be private. This vulnerability is fixed in 1.28.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of public-facing web app via auth bypass for unauthorized data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-58173Same product: Freshrss Freshrss
CVE-2026-20897Shared CWE-284, CWE-639
CVE-2026-25758Shared CWE-284, CWE-639
CVE-2026-21447Shared CWE-284, CWE-639
CVE-2026-20912Shared CWE-284, CWE-639
CVE-2026-27449Shared CWE-284, CWE-639
CVE-2026-39339Shared CWE-284
CVE-2026-41471Shared CWE-639
CVE-2025-58402Shared CWE-639
CVE-2026-46839Shared CWE-284

Affected Assets

freshrss
freshrss
≤ 1.28.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to private user feeds, directly countering the authorization bypass via flawed master token handling.

prevent

Requires timely remediation of the specific authentication flaw fixed in FreshRSS 1.28.0, preventing exploitation of the access control vulnerability.

prevent

Limits permitted actions without identification or authentication to only the default user's feeds when anonymous viewing is enabled, addressing the bypass of private feed restrictions.

References