CVE-2025-62166
Published: 09 March 2026
Summary
CVE-2025-62166 is a high-severity Improper Access Control (CWE-284) vulnerability in Freshrss Freshrss. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-62166 is a vulnerability in FreshRSS, a free, self-hostable RSS aggregator, affecting versions prior to 1.28.0. The issue stems from a bug in the authentication logic related to master authentication tokens, which allows bypassing restrictions on feed visibility. Normally, when anonymous viewing is enabled, only the default user's feeds are accessible, while feeds belonging to other users remain private. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed master token handling, they can view private feeds of non-default users, resulting in high confidentiality impact without affecting integrity or availability.
The vulnerability was fixed in FreshRSS version 1.28.0, as detailed in the project's GitHub security advisory (GHSA-w743-fg6g-mhwh), the corresponding pull request (#8165), and the release notes. Security practitioners should upgrade to 1.28.0 or later and review configurations for anonymous viewing to mitigate exposure. The patching commit is available at https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208442
Vulnerability details
FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds…
more
of other users should be private. This vulnerability is fixed in 1.28.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing web app via auth bypass for unauthorized data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to private user feeds, directly countering the authorization bypass via flawed master token handling.
Requires timely remediation of the specific authentication flaw fixed in FreshRSS 1.28.0, preventing exploitation of the access control vulnerability.
Limits permitted actions without identification or authentication to only the default user's feeds when anonymous viewing is enabled, addressing the bypass of private feed restrictions.