Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.
AnalysisAI
Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks pointing to internal or private network addresses, which are then fetched without runtime validation when posts are published, enabling blind SSRF attacks against internal services. The vulnerability stems from inconsistent input validation: the webhook creation endpoint (POST /webhooks/) uses only basic URL format checking, while the update and test endpoints correctly enforce strict URL validation. CVSS 5.4 with EPSS exploitation probability reflects the requirement for authentication and limited direct impact, though the ability to target internal infrastructure represents meaningful risk.
Technical ContextAI
Postiz is a Node.js-based social media scheduling application that accepts webhook URLs for post publishing events. The vulnerability arises from CWE-918 (Server-Side Request Forgery) in the webhook management system. The POST /webhooks/ endpoint in WebhooksDto validates the URL field using only the @IsUrl() decorator, which performs format validation but does not filter internal/reserved IP ranges or private domain namespaces. In contrast, the PUT /webhooks/ (update) and POST /webhooks/send (test) endpoints correctly apply the @IsSafeWebhookUrl validator, which blocks RFC1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost variants, and link-local addresses. During post publication, the orchestrator retrieves the stored webhook URL and makes HTTP requests without repeating runtime validation, enabling exploitation of the initial validation gap. The affected CPE is cpe:2.3:a:gitroomhq:postiz-app:*:*:*:*:*:*:*:* with confirmed impact up to and including version 2.21.3.
RemediationAI
Upgrade Postiz to version 2.21.4 or later immediately. The patched version applies the @IsSafeWebhookUrl validator consistently across all webhook endpoints (creation, update, and test), blocking requests to internal/private addresses. Users unable to upgrade immediately should implement network-level controls: restrict outbound connections from the Postiz application host to internal networks using firewall rules, or deploy the application in a DMZ with no direct routing to internal subnets. Review existing webhooks in the application for any pointing to non-public URLs and delete them. Refer to the official security advisory at https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225 for detailed patch notes and the commit at https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480bca40a11 for validation implementation details.
More in Postiz App
View allPrivilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated us
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who c
Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote
Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote atta
Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added i
Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a va
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18452