Skip to main content

Postiz App EUVDEUVD-2026-18448

| CVE-2026-34577 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-02 GitHub_M
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:08 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.21.3
EUVD ID Assigned
Apr 02, 2026 - 17:30 euvd
EUVD-2026-18448
Analysis Generated
Apr 02, 2026 - 17:30 vuln.today
CVE Published
Apr 02, 2026 - 17:24 nvd
HIGH 8.6

DescriptionGitHub Advisory

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.

AnalysisAI

Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote attackers to read internal network resources and cloud metadata endpoints through the /public/stream proxy endpoint. The vulnerability bypasses trivial .mp4 validation via query parameters or URL fragments, enabling unauthorized access to internal services without authentication. No public exploit identified at time of analysis, but CVSS 8.6 reflects high confidentiality impact with network-level attack vector and low complexity. EPSS data not available, but the combination of no authentication requirement and cloud metadata access risk makes this a priority for organizations running Postiz in cloud environments.

Technical ContextAI

This is a classic Server-Side Request Forgery (CWE-918) vulnerability in Postiz's PublicController component. The /public/stream endpoint was designed to proxy video content (hence the .mp4 validation), but implements only suffix-based URL filtering that checks url.endsWith('mp4'). This validation is fundamentally flawed because HTTP URLs can contain arbitrary query strings (e.g., http://169.254.169.254/latest/meta-data?.mp4) or fragments (e.g., http://internal-service/admin#.mp4) that satisfy the suffix check while pointing to non-video resources. The endpoint acts as an open HTTP proxy, forwarding requests to attacker-controlled destinations and returning full responses. In cloud environments, this enables access to instance metadata services (AWS 169.254.169.254, GCP metadata.google.internal, Azure 169.254.169.254) which can expose credentials, API keys, and configuration data. The affected product per CPE data is gitroomhq:postiz-app versions prior to 2.21.3.

RemediationAI

Upgrade immediately to Postiz version 2.21.3 or later, which contains patches for the SSRF vulnerability. The patched release is available at https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3 and includes proper URL validation that prevents bypassing the .mp4 suffix check. If immediate patching is not possible, implement network-level controls as temporary mitigation: configure egress filtering to block the Postiz application server from accessing internal networks and cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.), and place the application behind a web application firewall with SSRF protection rules. Additionally, restrict access to the /public/stream endpoint at the network perimeter if the streaming functionality is not required for your deployment. Review application logs for suspicious requests to the /public/stream endpoint with unusual URL parameters to identify potential exploitation attempts. After patching, verify the fix by attempting to access internal resources through the endpoint to confirm proper validation is enforced.

Share

EUVD-2026-18448 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy