Skip to main content

Postiz CVE-2026-48781

| EUVDEUVD-2026-37505 CRITICAL
Authentication Bypass by Assumed-Immutable Data (CWE-302)
2026-06-16 GitHub_M
9.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable callback (AV:N), trivial forgery from patch diff (AC:L), any authenticated user suffices (PR:L), no victim interaction (UI:N); forged SUPERADMIN crosses org boundaries (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 16, 2026 - 23:27 vuln.today
Analysis Generated
Jun 16, 2026 - 23:27 vuln.today
Patch available
Jun 16, 2026 - 23:02 EUVD

DescriptionCVE.org

Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.

AnalysisAI

Privilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated user to forge session JWTs and impersonate arbitrary organizations. The Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware blindly trusted every claim without re-resolving the user from the database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or use existing Postiz account
Delivery
Craft base64 JSON with isSuperAdmin true
Exploit
POST to Skool integration callback
Execution
Receive forged SUPERADMIN session JWT
Persist
Replace own session token with forgery
Impact
Access arbitrary organizations and post as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an authenticated session on the target Postiz instance - any low-privileged user account, including freshly self-registered ones where registration is open - and (2) network reachability to the Skool integration callback under the no-auth integrations controller. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals converge on a high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a normal account on a target Postiz instance, then issues a request to the Skool integration callback with a base64-encoded JSON body specifying id of a target admin user and isSuperAdmin: true. The server signs that payload into a valid session JWT using JWT_SECRET, the attacker replaces their session cookie/header with it, and the auth middleware accepts the forged identity, granting full access to every organization and the ability to post under any connected social channel. …
Remediation The primary fix is to upgrade to Vendor-released patch: Postiz 2.21.8 or later, available at http://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8, which both replaces the dangerous AuthService.signJWT(JSON.parse(...)) call in the Skool callback with AuthService.fixedEncryption and forces AuthMiddleware to re-resolve the user from the database via _userService.getUserById(payload.id) instead of trusting JWT claims (commit 23696d2973510ae1f3f48bfa41a6bfbbf9827b05). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Postiz deployments and identify versions; disable Skool integration if running versions prior to 2.21.8 until patched. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy