Skip to main content

Postiz CVE-2026-48783

| EUVDEUVD-2026-37507 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-16 GitHub_M
4.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
4.8 MEDIUM

Network-accessible but requires a valid external signed token (AC:H); no Postiz auth needed (PR:N); no confidentiality impact; self-contained integrity and availability degradation only.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 17, 2026 - 00:30 vuln.today
Analysis Generated
Jun 17, 2026 - 00:30 vuln.today
Patch available
Jun 16, 2026 - 23:02 EUVD

DescriptionCVE.org

Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.

AnalysisAI

Unauthenticated exploitation of Postiz's /public/modify-subscription endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or intercept NowPayments-signed callback token
Delivery
POST token to unauthenticated /public/modify-subscription
Exploit
Assert free-tier plan in token claims
Execution
Server executes enforcement side effects without purpose validation
Impact
Own organization integrations disabled and post crons reset

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific conditions: first, a validly signed token accepted by the `/public/modify-subscription` endpoint, originating from the NowPayments crypto payment integration signing key - either intercepted from a prior payment callback or derived from knowledge of the key; second, the target Postiz instance must have had the NowPayments crypto payment feature configured and active (non-default for most deployments without a configured NowPayments API key). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L is consistent with the described constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has previously completed or intercepted a NowPayments crypto payment flow for their own Postiz organization captures a validly signed callback token from that flow. They replay this token in a POST request to `/public/modify-subscription` with claims asserting a free-tier plan, causing their organization's social media integrations above the free-plan limit to be disabled and the scheduled-post cron to be reset - effectively disrupting their own Postiz service. …
Remediation Upgrade Postiz to version 2.21.8, confirmed as the vendor-released patch via the GitHub release at https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8 and commit 23696d2973510ae1f3f48bfa41a6bfbbf9827b05. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48783 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy