Skip to main content

Postiz App CVE-2026-34590

| EUVDEUVD-2026-18452 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-02 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.21.4
EUVD ID Assigned
Apr 02, 2026 - 18:15 euvd
EUVD-2026-18452
Analysis Generated
Apr 02, 2026 - 18:15 vuln.today
CVE Published
Apr 02, 2026 - 17:26 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.

AnalysisAI

Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks pointing to internal or private network addresses, which are then fetched without runtime validation when posts are published, enabling blind SSRF attacks against internal services. The vulnerability stems from inconsistent input validation: the webhook creation endpoint (POST /webhooks/) uses only basic URL format checking, while the update and test endpoints correctly enforce strict URL validation. CVSS 5.4 with EPSS exploitation probability reflects the requirement for authentication and limited direct impact, though the ability to target internal infrastructure represents meaningful risk.

Technical ContextAI

Postiz is a Node.js-based social media scheduling application that accepts webhook URLs for post publishing events. The vulnerability arises from CWE-918 (Server-Side Request Forgery) in the webhook management system. The POST /webhooks/ endpoint in WebhooksDto validates the URL field using only the @IsUrl() decorator, which performs format validation but does not filter internal/reserved IP ranges or private domain namespaces. In contrast, the PUT /webhooks/ (update) and POST /webhooks/send (test) endpoints correctly apply the @IsSafeWebhookUrl validator, which blocks RFC1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost variants, and link-local addresses. During post publication, the orchestrator retrieves the stored webhook URL and makes HTTP requests without repeating runtime validation, enabling exploitation of the initial validation gap. The affected CPE is cpe:2.3:a:gitroomhq:postiz-app:*:*:*:*:*:*:*:* with confirmed impact up to and including version 2.21.3.

RemediationAI

Upgrade Postiz to version 2.21.4 or later immediately. The patched version applies the @IsSafeWebhookUrl validator consistently across all webhook endpoints (creation, update, and test), blocking requests to internal/private addresses. Users unable to upgrade immediately should implement network-level controls: restrict outbound connections from the Postiz application host to internal networks using firewall rules, or deploy the application in a DMZ with no direct routing to internal subnets. Review existing webhooks in the application for any pointing to non-public URLs and delete them. Refer to the official security advisory at https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225 for detailed patch notes and the commit at https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480bca40a11 for validation implementation details.

Share

CVE-2026-34590 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy