A critical vulnerability has been identified in the FreshRSS aggregator software, which allows an unprivileged attacker to create a new administrator account. Successful exploitation, which is possible when user registration is enabled on the server, could lead to a complete takeover of the application, data theft, and further attacks against the host system.

This vulnerability allows for privilege escalation due to improper input validation during the user registration process. An unauthenticated attacker can send a specially crafted request to the user creation endpoint when public registration is enabled. By manipulating parameters within this request, the attacker can create a new user account and assign it administrative privileges, bypassing normal authorization controls and gaining complete control over the FreshRSS instance.

This vulnerability is rated as critical with a CVSS score of 9.8. Successful exploitation grants an attacker full administrative control over the FreshRSS application. This could lead to the theft of sensitive information from aggregated feeds, unauthorized modification or deletion of data, and service disruption. Furthermore, a compromised web application can serve as a foothold for attackers to launch further attacks against the underlying server and other systems within the organization's network, posing a significant risk to data confidentiality, integrity, and availability.

Immediate Action: Immediately update all instances of FreshRSS is a Multiple Products to the latest version available (newer than 1.26.3) to patch the vulnerability. After patching, review all user accounts, especially those with administrative privileges, to identify and remove any unauthorized accounts that may have been created.

Proactive Monitoring: Monitor web server and application access logs for unusual POST requests to user registration pages. Scrutinize logs for the creation of new user accounts, particularly any that are immediately followed by administrative actions. An increase in registration attempts from unknown sources could indicate scanning or exploitation activity.

Compensating Controls: If patching is not immediately possible, disable public user registration within the FreshRSS application settings. This action removes the primary attack vector. Additionally, consider placing the application behind a Web Application Firewall (WAF) with rules designed to inspect and block malicious user registration attempts.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, which allows for a complete system takeover, immediate action is required. We strongly recommend that all affected FreshRSS instances be updated to the latest secure version without delay. If patching is not immediately feasible, the user registration feature must be disabled as a critical compensating control. Although this CVE is not currently listed on the CISA KEV catalog, its high impact and ease of exploitation warrant treating it with the highest priority for remediation.