Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-accessible but requires a valid external signed token (AC:H); no Postiz auth needed (PR:N); no confidentiality impact; self-contained integrity and availability degradation only.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.
AnalysisAI
Unauthenticated exploitation of Postiz's /public/modify-subscription endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. Impact is strictly self-contained; the endpoint cannot be redirected at other tenants. No public exploit code and no CISA KEV listing have been identified at time of analysis. The issue is fixed in Postiz 2.21.8.
Technical ContextAI
Postiz (cpe:2.3:a:gitroomhq:postiz-app) is a NestJS-based AI social media scheduling platform. The vulnerable component was the /public/modify-subscription endpoint wired into the NowPayments crypto billing integration, which accepted a signed token and executed subscription enforcement logic (team-member state, integration count limits, cron scheduling) based on the plan tier asserted in the token's claims. The root cause is CWE-345 (Insufficient Verification of Data Authenticity): a confused-deputy pattern in which the server verified the token's cryptographic signature but omitted any check of the token's audience, scope, or purpose binding. Any signed token from the NowPayments flow - regardless of the action it was originally issued for - could be replayed against the subscription endpoint. The fix at commit 23696d2973510ae1f3f48bfa41a6bfbbf9827b05 removed the entire Nowpayments module and its public endpoints from the NestJS module, controller, and billing controller. The same patch also hardened the auth middleware to re-resolve users from the database rather than trusting JWT body claims directly, and stripped credential fields (token, refreshToken, customInstanceDetails) from integration API responses.
RemediationAI
Upgrade Postiz to version 2.21.8, confirmed as the vendor-released patch via the GitHub release at https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8 and commit 23696d2973510ae1f3f48bfa41a6bfbbf9827b05. The fix eliminates the vulnerable endpoint entirely by removing the NowPayments crypto payment module. If an immediate upgrade is not feasible, operators should block external HTTP access to the /public/modify-subscription path at the reverse proxy or WAF layer; be aware this will also deny access to other unauthenticated public routes (e.g., OAuth callbacks) hosted under the same /public/ prefix, so test for side effects before applying. Restricting inbound traffic to known NowPayments IP ranges at the network boundary is an additional compensating control, though IP allowlists can be bypassed if the signing key is compromised. The vendor advisory at https://gadvisory.org/advisories/PSA-2026-WWFR8X provides supplemental remediation guidance.
More in Postiz App
View allPrivilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated us
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who c
Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote
Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote atta
Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added i
Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks point
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37507