v2

v2.3.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 19d Dashboards & Home Pages

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

atom feed go jsonfeed letsencrypt opml

+3 more

postgresql rdf rss

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal

editorial:auto 9d

Non‑resident WebAuthn credentials are now disallowed for first‑factor login to block username enumeration.

Why it matters: Disabling non‑resident credential use eliminates a vector that could reveal valid usernames before password checks, raising authentication security.

Summary

AI summary

Non‑resident WebAuthn credentials can no longer be used for first‑factor login to prevent username enumeration.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login. Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Persist WebAuthn backup eligibility/state and validated credential state after login. Persist WebAuthn backup eligibility/state and validated credential state after login. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Require POST requests for logout, feed refresh, and OAuth2 unlink actions. Require POST requests for logout, feed refresh, and OAuth2 unlink actions. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Apply CSRF protection to all non-safe HTTP methods. Apply CSRF protection to all non-safe HTTP methods. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Add http.CrossOriginProtection middleware for the web UI. Add http.CrossOriginProtection middleware for the web UI. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Validate redirect URL schemes in HTMLRedirect to prevent unsafe redirects. Validate redirect URL schemes in HTMLRedirect to prevent unsafe redirects. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Restore URL scheme validation in templates for untrusted feed URLs. Restore URL scheme validation in templates for untrusted feed URLs. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Sanitize filenames in Content-Disposition headers to prevent header injection. Sanitize filenames in Content-Disposition headers to prevent header injection. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Reject empty OAuth2 state parameters when no authentication flow is in progress. Reject empty OAuth2 state parameters when no authentication flow is in progress. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Validate URI schemes case‑insensitively according to RFC 3986. Validate URI schemes case‑insensitively according to RFC 3986. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Security	Low	Pin third‑party GitHub Actions to immutable commit SHAs to reduce supply‑chain risks. Pin third‑party GitHub Actions to immutable commit SHAs to reduce supply‑chain risks. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature
Feature	Medium	Add support for exporting and importing Miniflux-specific feed settings in OPML files. Add support for exporting and importing Miniflux-specific feed settings in OPML files. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients. Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add support for the shortcuts: iOS URL scheme in sanitized content. Add support for the shortcuts: iOS URL scheme in sanitized content. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add Linux riscv64 builds. Add Linux riscv64 builds. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Allow disabling local authentication without enabling automatic OAuth2/auth-proxy user creation. Allow disabling local authentication without enabling automatic OAuth2/auth-proxy user creation. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Improve error handling and cleanup in WebAuthn login flows. Improve error handling and cleanup in WebAuthn login flows. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Low	Cap the maximum entry limit to 1000 across UI, API, and storage layer. Cap the maximum entry limit to 1000 across UI, API, and storage layer. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Low	Improve Chinese Traditional (zh‑TW) translations. Improve Chinese Traditional (zh‑TW) translations. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Low	Improve RSS parsing for feeds that reuse the same GUID across multiple entries. Improve RSS parsing for feeds that reuse the same GUID across multiple entries. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Low	Improve UI consistency for authentication settings and external‑link behavior. Improve UI consistency for authentication settings and external‑link behavior. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Low	Automatically clean up orphaned feed icons from the database. Automatically clean up orphaned feed icons from the database. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Low	Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message. Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Low	Allow configured private proxies while still enforcing private‑network restrictions for direct requests and redirects. Allow configured private proxies while still enforcing private‑network restrictions for direct requests and redirects. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Performance
Performance	Medium	Improve sanitizer performance significantly and reduce allocations in multiple hot paths. Improve sanitizer performance significantly and reduce allocations in multiple hot paths. Source: llm_adapter@2026-05-21 Confidence: high	—
Performance	Medium	Optimize reading-time calculation to avoid unnecessary allocations. Optimize reading-time calculation to avoid unnecessary allocations. Source: llm_adapter@2026-05-21 Confidence: high	—
Performance	Medium	Improve feed parsing performance by preallocating slices/maps and reducing string allocations. Improve feed parsing performance by preallocating slices/maps and reducing string allocations. Source: llm_adapter@2026-05-21 Confidence: high	—
Performance	Medium	Optimize ISO8601 duration parsing for YouTube and podcast feeds. Optimize ISO8601 duration parsing for YouTube and podcast feeds. Source: llm_adapter@2026-05-21 Confidence: high	—
Performance	Medium	Reduce database queries for navigation metadata and storage operations. Reduce database queries for navigation metadata and storage operations. Source: llm_adapter@2026-05-21 Confidence: high	—
Performance	Medium	Optimize template rendering for icons and CSP generation. Optimize template rendering for icons and CSP generation. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Avoid loading entry content from PostgreSQL when not needed. Avoid loading entry content from PostgreSQL when not needed. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Reuse a singleton HTML minifier instance instead of allocating one per request. Reuse a singleton HTML minifier instance instead of allocating one per request. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Optimize string handling in the reader and sanitizer packages. Optimize string handling in the reader and sanitizer packages. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Fix incorrect read/starred toggling in Google Reader API. Fix incorrect read/starred toggling in Google Reader API. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the removed entry status. Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the removed entry status. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fix handling of slow HTTP headers. Fix handling of slow HTTP headers. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fix "open in new tab" behavior for redirected external entry links. Fix "open in new tab" behavior for redirected external entry links. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fix Wallabag integration typo in error messages. Fix Wallabag integration typo in error messages. Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Low	Simplify large feed and user deletions using ON DELETE CASCADE. Simplify large feed and user deletions using ON DELETE CASCADE. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—

Full changelog

Security

Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login.
Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support.
Persist WebAuthn backup eligibility/state and validated credential state after login.
Require POST requests for logout, feed refresh, and OAuth2 unlink actions.
Apply CSRF protection to all non-safe HTTP methods.
Add http.CrossOriginProtection middleware for the web UI.
Validate redirect URL schemes in HTMLRedirect to prevent unsafe redirects.
Restore URL scheme validation in templates for untrusted feed URLs.
Sanitize filenames in Content-Disposition headers to prevent header injection.
Reject empty OAuth2 state parameters when no authentication flow is in progress.
Allow configured private proxies while still enforcing private-network restrictions for direct requests and redirects.
Validate URI schemes case-insensitively according to RFC 3986.
Pin third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risks.
Cap the maximum entry limit to 1000 across the UI, API, and storage layer.

Improvements

Add support for exporting and importing Miniflux-specific feed settings in OPML files, allowing full feed configuration backups and restores.
Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients.
Add support for the shortcuts: iOS URL scheme in sanitized content.
Add Linux riscv64 builds.
Allow disabling local authentication without enabling automatic OAuth2/auth-proxy user creation.
Improve Chinese Traditional (zh-TW) translations.
Improve RSS parsing for feeds that reuse the same GUID across multiple entries.
Improve UI consistency for authentication settings and external-link behavior.
Automatically clean up orphaned feed icons from the database.
Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message.
Improve error handling and cleanup in WebAuthn login flows.
Simplify large feed and user deletions using ON DELETE CASCADE.

Performance

Improve sanitizer performance significantly and reduce allocations in multiple hot paths.
Optimize reading-time calculation to avoid unnecessary allocations.
Improve feed parsing performance by preallocating slices/maps and reducing string allocations.
Optimize ISO8601 duration parsing for YouTube and podcast feeds.
Reduce database queries for navigation metadata and storage operations.
Optimize template rendering for icons and CSP generation.
Avoid loading entry content from PostgreSQL when not needed.
Reuse a singleton HTML minifier instance instead of allocating one per request.
Optimize string handling in the reader and sanitizer packages.

Bug Fixes

Fix incorrect read/starred toggling in Google Reader API.
Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the removed entry status.
Fix handling of slow HTTP headers.
Fix "open in new tab" behavior for redirected external entry links.
Fix Wallabag integration typo in error messages.

Dependency Updates

Update github.com/go-webauthn/webauthn to v0.17.3.
Update various golang.org/x/* packages.
Update github.com/coreos/go-oidc/v3 to v3.18.0.
Update github.com/tdewolff/minify/v2 to v2.24.13.

As always, thank you to all contributors who helped improve Miniflux in this release.

Breaking Changes

Non‑resident WebAuthn credentials can no longer be used for first‑factor authentication.

Security Fixes

Restrict WebAuthn login to discoverable credentials only (resident keys / passkeys) to prevent username enumeration before password verification.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track v2

Get notified when new releases ship.

About v2

Minimalist and opinionated feed reader

All releases →

v2