High severity7.5NVD Advisory· Published Mar 17, 2023· Updated Jun 17, 2026
CVE-2023-27591
CVE-2023-27591
Description
Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default). A patch is available in Miniflux 2.0.43. As a workaround, set METRICS_COLLECTOR to false (default) or run Miniflux behind a trusted reverse-proxy.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
miniflux.app/v2Go | < 2.0.43 | 2.0.43 |
miniflux.appGo | <= 1.0.46 | — |
Affected products
3- ghsa-coords2 versions
<= 1.0.46+ 1 more
- (no CPE)range: <= 1.0.46
- (no CPE)range: < 2.0.43
Patches
Vulnerability mechanics
References
6- github.com/miniflux/v2/pull/1745nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-3qjf-qh38-x73vghsaADVISORY
- github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73vnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-27591ghsaADVISORY
- github.com/miniflux/v2/releases/tag/2.0.43nvdRelease NotesWEB
- miniflux.app/docs/configuration.htmlnvdProductWEB
News mentions
0No linked articles in our index yet.