Skip to main content

Postiz App CVE-2026-40168

| EUVDEUVD-2026-21571 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-10 GitHub_M
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:58 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.21.5
EUVD ID Assigned
Apr 10, 2026 - 20:15 euvd
EUVD-2026-21571
Analysis Generated
Apr 10, 2026 - 20:15 vuln.today
CVE Published
Apr 10, 2026 - 19:20 nvd
HIGH 8.2

DescriptionGitHub Advisory

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.

AnalysisAI

Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote attackers to access internal network resources and exfiltrate sensitive data via the /api/public/stream endpoint. The vulnerability exploits inadequate redirect validation: attackers supply public HTTPS URLs that pass initial validation but redirect server requests to private internal hosts, bypassing security controls. High confidentiality impact with potential service disruption. No public exploit identified at time of analysis.

Technical ContextAI

CWE-918 SSRF caused by incomplete redirect chain validation. Application validates initial URL against private/internal IP ranges but fails to re-validate final destination after HTTP 3xx redirects. Attacker-controlled public URLs trigger server-side fetches that follow redirects to RFC1918 addresses, cloud metadata endpoints, or localhost services, bypassing allowlist controls.

RemediationAI

Vendor-released patch: upgrade to Postiz version 2.21.5 or later, which implements redirect destination validation to prevent SSRF via the /api/public/stream endpoint. Upstream commit 30e8b777098157362769226d1b46d83ad616cb06 addresses redirect chain validation. Organizations unable to upgrade immediately should implement network egress filtering to block server-initiated requests to internal IP ranges and apply web application firewall rules restricting /api/public/stream access. Consult vendor security advisory at https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww for technical details. Release notes available at https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5

Share

CVE-2026-40168 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy