Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable callback (AV:N), trivial forgery from patch diff (AC:L), any authenticated user suffices (PR:L), no victim interaction (UI:N); forged SUPERADMIN crosses org boundaries (S:C) with full CIA impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.
AnalysisAI
Privilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated user to forge session JWTs and impersonate arbitrary organizations. The Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware blindly trusted every claim without re-resolving the user from the database. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) an authenticated session on the target Postiz instance - any low-privileged user account, including freshly self-registered ones where registration is open - and (2) network reachability to the Skool integration callback under the no-auth integrations controller. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals converge on a high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a normal account on a target Postiz instance, then issues a request to the Skool integration callback with a base64-encoded JSON body specifying id of a target admin user and isSuperAdmin: true. The server signs that payload into a valid session JWT using JWT_SECRET, the attacker replaces their session cookie/header with it, and the auth middleware accepts the forged identity, granting full access to every organization and the ability to post under any connected social channel. … |
| Remediation | The primary fix is to upgrade to Vendor-released patch: Postiz 2.21.8 or later, available at http://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8, which both replaces the dangerous AuthService.signJWT(JSON.parse(...)) call in the Skool callback with AuthService.fixedEncryption and forces AuthMiddleware to re-resolve the user from the database via _userService.getUserById(payload.id) instead of trusting JWT claims (commit 23696d2973510ae1f3f48bfa41a6bfbbf9827b05). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Postiz deployments and identify versions; disable Skool integration if running versions prior to 2.21.8 until patched. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Postiz App
View allPostiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who c
Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote
Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote atta
Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added i
Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks point
Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a va
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37505