Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.
AnalysisAI
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote attackers to access internal network resources and exfiltrate sensitive data via the /api/public/stream endpoint. The vulnerability exploits inadequate redirect validation: attackers supply public HTTPS URLs that pass initial validation but redirect server requests to private internal hosts, bypassing security controls. High confidentiality impact with potential service disruption. No public exploit identified at time of analysis.
Technical ContextAI
CWE-918 SSRF caused by incomplete redirect chain validation. Application validates initial URL against private/internal IP ranges but fails to re-validate final destination after HTTP 3xx redirects. Attacker-controlled public URLs trigger server-side fetches that follow redirects to RFC1918 addresses, cloud metadata endpoints, or localhost services, bypassing allowlist controls.
RemediationAI
Vendor-released patch: upgrade to Postiz version 2.21.5 or later, which implements redirect destination validation to prevent SSRF via the /api/public/stream endpoint. Upstream commit 30e8b777098157362769226d1b46d83ad616cb06 addresses redirect chain validation. Organizations unable to upgrade immediately should implement network egress filtering to block server-initiated requests to internal IP ranges and apply web application firewall rules restricting /api/public/stream access. Consult vendor security advisory at https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww for technical details. Release notes available at https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5
More in Postiz App
View allPrivilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated us
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who c
Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote
Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated
Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added i
Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks point
Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a va
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21571