Skip to main content

Postiz App CVE-2026-34576

| EUVDEUVD-2026-18446 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-02 GitHub_M
8.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:08 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.21.3
EUVD ID Assigned
Apr 02, 2026 - 17:30 euvd
EUVD-2026-18446
Analysis Generated
Apr 02, 2026 - 17:30 vuln.today
CVE Published
Apr 02, 2026 - 17:23 nvd
HIGH 8.3

DescriptionGitHub Advisory

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3.

AnalysisAI

Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated API users to fetch arbitrary URLs by exploiting the POST /public/v1/upload-from-url endpoint, which performs server-side URL fetching via axios without SSRF protections and relies solely on a bypassable file extension check. Attackers can retrieve internal network resources, cloud metadata, and internal service data, with responses captured and returned to the attacker. Vendor-released patch available in version 2.21.3.

Technical ContextAI

Postiz implements a server-side URL fetching mechanism in the POST /public/v1/upload-from-url endpoint that uses axios.get() to retrieve remote content. The vulnerability stems from CWE-918 (Server-Side Request Forgery), a class of attacks where insufficient input validation on URLs allows attackers to bypass network boundary controls. The only validation present is a file extension allowlist (.png, .jpg, etc.), which provides no protection against SSRF as extension-based validation can be circumvented by appending valid extensions to arbitrary URLs (e.g., http://169.254.169.254/latest/meta-data/?v=.jpg for AWS metadata). The fetched content is then stored and returned to the user, enabling exfiltration of sensitive internal data. CPE cpe:2.3:a:gitroomhq:postiz-app:*:*:*:*:*:*:*:* indicates all versions prior to 2.21.3 are vulnerable.

RemediationAI

Upgrade Postiz to version 2.21.3 or later, which patches the SSRF vulnerability. The patch is available at https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3. Users should apply this update immediately if running Postiz with API access exposed to authenticated users, particularly in environments with sensitive internal network resources or cloud deployments. As a temporary workaround pending patching, restrict API access to the POST /public/v1/upload-from-url endpoint using network-level access controls or WAF rules that block requests to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, and 127.0.0.0/8). See GitHub Security Advisory GHSA-89vp-m2qw-7v34 for additional details: https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89vp-m2qw-7v34.

Share

CVE-2026-34576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy