Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3.
AnalysisAI
Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated API users to fetch arbitrary URLs by exploiting the POST /public/v1/upload-from-url endpoint, which performs server-side URL fetching via axios without SSRF protections and relies solely on a bypassable file extension check. Attackers can retrieve internal network resources, cloud metadata, and internal service data, with responses captured and returned to the attacker. Vendor-released patch available in version 2.21.3.
Technical ContextAI
Postiz implements a server-side URL fetching mechanism in the POST /public/v1/upload-from-url endpoint that uses axios.get() to retrieve remote content. The vulnerability stems from CWE-918 (Server-Side Request Forgery), a class of attacks where insufficient input validation on URLs allows attackers to bypass network boundary controls. The only validation present is a file extension allowlist (.png, .jpg, etc.), which provides no protection against SSRF as extension-based validation can be circumvented by appending valid extensions to arbitrary URLs (e.g., http://169.254.169.254/latest/meta-data/?v=.jpg for AWS metadata). The fetched content is then stored and returned to the user, enabling exfiltration of sensitive internal data. CPE cpe:2.3:a:gitroomhq:postiz-app:*:*:*:*:*:*:*:* indicates all versions prior to 2.21.3 are vulnerable.
RemediationAI
Upgrade Postiz to version 2.21.3 or later, which patches the SSRF vulnerability. The patch is available at https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3. Users should apply this update immediately if running Postiz with API access exposed to authenticated users, particularly in environments with sensitive internal network resources or cloud deployments. As a temporary workaround pending patching, restrict API access to the POST /public/v1/upload-from-url endpoint using network-level access controls or WAF rules that block requests to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, and 127.0.0.0/8). See GitHub Security Advisory GHSA-89vp-m2qw-7v34 for additional details: https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89vp-m2qw-7v34.
More in Postiz App
View allPrivilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated us
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who c
Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote atta
Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added i
Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks point
Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a va
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18446