v2

v2.3.1 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 5d Dashboards & Home Pages

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 4 known CVEs

Topics

atom feed go jsonfeed letsencrypt opml

+3 more

postgresql rdf rss

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 5d

Release 2.3.1 patches critical security flaws: OAuth binding vulnerability, open‑redirect via backslashes, SQL injection in ORDER BY clauses, and hardens metrics authentication.

Why it matters: These fixes address high‑severity (≥70) vulnerabilities that could enable identity takeover, unauthorized redirects, or data exfiltration; operators should upgrade immediately.

Summary

AI summary

Fixed multiple security vulnerabilities including OAuth binding, open redirect, SQL injection and hardened metrics authentication.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Fixes OAuth account binding vulnerability allowing arbitrary identity association. Fixes OAuth account binding vulnerability allowing arbitrary identity association. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	High	Fixes open redirect vulnerability caused by backslashes in relative URLs. Fixes open redirect vulnerability caused by backslashes in relative URLs. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	High	Fixes potential SQL injection in dynamically generated ORDER BY clauses. Fixes potential SQL injection in dynamically generated ORDER BY clauses. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	High	Hardens metrics endpoint authentication using constant-time comparisons. Hardens metrics endpoint authentication using constant-time comparisons. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds Korean language support. Adds Korean language support. Source: llm_adapter@2026-05-29 Confidence: high	—
Dependency	Low	Updated dependencies: go‑webauthn/webauthn 0.17.4, golang.org/x/crypto 0.52.0, golang.org/x/image 0.41.0, golang.org/x/net 0.55.0. Updated dependencies: go‑webauthn/webauthn 0.17.4, golang.org/x/crypto 0.52.0, golang.org/x/image 0.41.0, golang.org/x/net 0.55.0. Source: llm_adapter@2026-05-29 Confidence: high	—
Performance	Medium	Improves HTML truncation performance and reduces memory allocations. Improves HTML truncation performance and reduces memory allocations. Source: llm_adapter@2026-05-29 Confidence: high	—
Performance	Medium	Optimizes feed discovery, subscription detection, date parsing, and tag filtering. Optimizes feed discovery, subscription detection, date parsing, and tag filtering. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Fixes stdlib cross-origin protection middleware blocking legitimate requests in self‑hosted environments (middleware reverted). Fixes stdlib cross-origin protection middleware blocking legitimate requests in self‑hosted environments (middleware reverted). Source: llm_adapter@2026-05-29 Confidence: high	—
Refactor	Low	Simplifies and refactors storage and query‑building components for maintainability. Simplifies and refactors storage and query‑building components for maintainability. Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

Security

Fixed an OAuth account binding vulnerability that could allow users to associate arbitrary OAuth identities with their account.
Fixed an open redirect vulnerability caused by backslashes in relative redirect URLs.
Fixed a potential SQL injection vulnerability in dynamically generated ORDER BY clauses.
Hardened metrics endpoint authentication by using constant-time credential comparisons.

Bug Fixes

Fixed an issue where the stdlib cross-origin protection middleware could block legitimate requests in certain self-hosted environments. The middleware has been reverted.

Improvements

Added Korean language support.
Improved HTML truncation performance and reduced memory allocations.
Optimized feed discovery, subscription detection, date parsing, and tag filtering.
Simplified and refactored several storage and query-building components for better maintainability.

Dependencies

Updated several dependencies, including:

github.com/go-webauthn/webauthn 0.17.4
golang.org/x/crypto 0.52.0
golang.org/x/image 0.41.0
golang.org/x/net 0.55.0

As always, thank you to all contributors who helped improve Miniflux in this release.

Security Fixes

Fixed OAuth account binding vulnerability allowing arbitrary identity association
Fixed open redirect caused by backslashes in relative URLs
Fixed potential SQL injection in dynamically generated ORDER BY clauses
Hardened metrics endpoint authentication with constant-time credential comparison

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track v2

Get notified when new releases ship.

About v2

Minimalist and opinionated feed reader

All releases →

v2