Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-accessible but requires a valid external signed token (AC:H); no Postiz auth needed (PR:N); no confidentiality impact; self-contained integrity and availability degradation only.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.
AnalysisAI
Unauthenticated exploitation of Postiz's /public/modify-subscription endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific conditions: first, a validly signed token accepted by the `/public/modify-subscription` endpoint, originating from the NowPayments crypto payment integration signing key - either intercepted from a prior payment callback or derived from knowledge of the key; second, the target Postiz instance must have had the NowPayments crypto payment feature configured and active (non-default for most deployments without a configured NowPayments API key). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L is consistent with the described constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has previously completed or intercepted a NowPayments crypto payment flow for their own Postiz organization captures a validly signed callback token from that flow. They replay this token in a POST request to `/public/modify-subscription` with claims asserting a free-tier plan, causing their organization's social media integrations above the free-plan limit to be disabled and the scheduled-post cron to be reset - effectively disrupting their own Postiz service. … |
| Remediation | Upgrade Postiz to version 2.21.8, confirmed as the vendor-released patch via the GitHub release at https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8 and commit 23696d2973510ae1f3f48bfa41a6bfbbf9827b05. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Postiz App
View allPrivilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated us
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who c
Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote
Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote atta
Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added i
Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks point
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37507