Skip to main content

Postiz EUVDEUVD-2026-37507

| CVE-2026-48783 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-16 GitHub_M
4.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
4.8 MEDIUM

Network-accessible but requires a valid external signed token (AC:H); no Postiz auth needed (PR:N); no confidentiality impact; self-contained integrity and availability degradation only.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 17, 2026 - 00:30 vuln.today
Analysis Generated
Jun 17, 2026 - 00:30 vuln.today
Patch available
Jun 16, 2026 - 23:02 EUVD

DescriptionCVE.org

Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.

AnalysisAI

Unauthenticated exploitation of Postiz's /public/modify-subscription endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. Impact is strictly self-contained; the endpoint cannot be redirected at other tenants. No public exploit code and no CISA KEV listing have been identified at time of analysis. The issue is fixed in Postiz 2.21.8.

Technical ContextAI

Postiz (cpe:2.3:a:gitroomhq:postiz-app) is a NestJS-based AI social media scheduling platform. The vulnerable component was the /public/modify-subscription endpoint wired into the NowPayments crypto billing integration, which accepted a signed token and executed subscription enforcement logic (team-member state, integration count limits, cron scheduling) based on the plan tier asserted in the token's claims. The root cause is CWE-345 (Insufficient Verification of Data Authenticity): a confused-deputy pattern in which the server verified the token's cryptographic signature but omitted any check of the token's audience, scope, or purpose binding. Any signed token from the NowPayments flow - regardless of the action it was originally issued for - could be replayed against the subscription endpoint. The fix at commit 23696d2973510ae1f3f48bfa41a6bfbbf9827b05 removed the entire Nowpayments module and its public endpoints from the NestJS module, controller, and billing controller. The same patch also hardened the auth middleware to re-resolve users from the database rather than trusting JWT body claims directly, and stripped credential fields (token, refreshToken, customInstanceDetails) from integration API responses.

RemediationAI

Upgrade Postiz to version 2.21.8, confirmed as the vendor-released patch via the GitHub release at https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8 and commit 23696d2973510ae1f3f48bfa41a6bfbbf9827b05. The fix eliminates the vulnerable endpoint entirely by removing the NowPayments crypto payment module. If an immediate upgrade is not feasible, operators should block external HTTP access to the /public/modify-subscription path at the reverse proxy or WAF layer; be aware this will also deny access to other unauthenticated public routes (e.g., OAuth callbacks) hosted under the same /public/ prefix, so test for side effects before applying. Restricting inbound traffic to known NowPayments IP ranges at the network boundary is an additional compensating control, though IP allowlists can be bypassed if the signing key is compromised. The vendor advisory at https://gadvisory.org/advisories/PSA-2026-WWFR8X provides supplemental remediation guidance.

Share

EUVD-2026-37507 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy