CVE-2026-50872
Description
Selfoss v2.20-SNAPSHOT trusts loopback requests when behind a misconfigured reverse proxy, allowing unauthenticated attackers to create sources and perform SSRF.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Selfoss v2.20-SNAPSHOT trusts loopback requests when behind a misconfigured reverse proxy, allowing unauthenticated attackers to create sources and perform SSRF.
Vulnerability
The vulnerability resides in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT. When selfoss runs behind a same-host reverse proxy that does not preserve forwarding headers (e.g., X-Forwarded-For or Forwarded), the AuthenticationFactory::create() method selects the Trust authentication implementation because isLocalIp() sees a loopback REMOTE_ADDR (127.0.0.1) and no forwarded address headers. This Trust implementation returns privileged decisions for read, update, and privileged checks. The affected code path is reachable via POST /source which calls Sources\Write::write() and relies on ensureIsPrivileged() before persisting a source. The attacker-controlled inputs are the source type, source parameters, and feed URL. When the submitted source title is empty, the source handling path can fetch the attacker-supplied feed URL to derive metadata [1].
Exploitation
An attacker needs network access to the selfoss instance and the deployment must be behind a same-host reverse proxy that does not set X-Forwarded-For or Forwarded headers. The attacker does not require authentication. The exploitation steps are: (1) Deploy selfoss 2.20 behind such a proxy so the application sees REMOTE_ADDR=127.0.0.1 and receives no forwarded headers. (2) From an external unauthenticated client, send POST /source with an RSS source, an empty title, and source parameters containing a URL to a listener or internal HTTP service. (3) The source creation is accepted because the authentication factory selects the trusted local implementation. (4) The listener or internal service receives a request from the selfoss server during source title or feed processing. (5) The source now exists in selfoss even though the requester did not authenticate [1].
Impact
Successful exploitation allows an unauthenticated external attacker to create privileged sources in selfoss, changing application state. Additionally, the source fetching mechanism provides a Server-Side Request Forgery (SSRF) primitive, enabling the attacker to make the selfoss server send requests to internal or external services. This can lead to information disclosure or further attacks against internal resources [1].
Mitigation
As of the publication date, no patched version of selfoss has been released. The recommended workaround is to ensure that the reverse proxy preserves and forwards the X-Forwarded-For or Forwarded headers to selfoss, so that the application can correctly distinguish between local and external requests. Deployments that already preserve these headers are not affected. No other mitigations are documented in the available references [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"AuthenticationFactory::create() selects the Trust authentication implementation for requests appearing to originate from loopback, allowing unauthenticated external attackers to create sources and trigger server-side URL fetches."
Attack vector
An unauthenticated external attacker sends a crafted `POST /source` request to selfoss when it is deployed behind a same-host reverse proxy that does not preserve forwarding headers. Because the proxy presents the request with `REMOTE_ADDR=127.0.0.1` and no `X-Forwarded-For` or `Forwarded` header, `AuthenticationFactory::create()` selects the `Trust` authentication implementation, which treats the request as privileged. The attacker supplies an RSS source type, an empty title, and a feed URL pointing to an attacker-controlled listener or internal HTTP service, causing the server to fetch that URL and enabling an SSRF primitive. [ref_id=1]
Affected code
The vulnerability lies in `AuthenticationFactory::create()` which selects the `Trust` authentication implementation when `isLocalIp()` sees a loopback `REMOTE_ADDR` and no forwarded-address headers are present. The source creation path reaches `Sources\Write::write()` via `POST /source` and relies on `ensureIsPrivileged()` before persisting a source. When a reverse proxy makes external requests appear to originate from loopback without setting `X-Forwarded-For` or `Forwarded`, an external requester receives that trusted local authorization state.
What the fix does
The advisory does not provide a patch diff. The recommended remediation is to ensure the reverse proxy preserves forwarding headers (e.g., `X-Forwarded-For` or `Forwarded`) so that `isLocalIp()` correctly identifies external requests as non-local, or to avoid deploying selfoss behind a same-host reverse proxy that strips those headers. Without such changes, the `Trust` authentication implementation will continue to grant privileged access to unauthenticated external requests that appear to originate from loopback. [ref_id=1]
Preconditions
- configselfoss 2.20 must be deployed behind a same-host reverse proxy that does not preserve X-Forwarded-For or Forwarded headers
- networkThe reverse proxy must present external requests with REMOTE_ADDR=127.0.0.1
- authNo authentication is required; the attacker can be unauthenticated
- inputThe attacker must supply a crafted POST /source request with an RSS source type, empty title, and a feed URL
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.