Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3.
Published: 2026-04-02
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server Side Request Forgery exposing internal resources and cloud metadata
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from the POST /public/v1/upload-from-url endpoint in the Postiz AI social media scheduling tool. The server fetches the requested URL with axios.get() without any SSRF protection other than a trivial file extension filter. By appending an allowable image extension to any URL, an attacker can cause the server to retrieve arbitrary internal resources, access cloud instance metadata, and reach other internal services. The retrieved content is then stored and returned to the attacker, leading to potential information disclosure of internal network data and cloud configuration. The weakness corresponds to CWE‑918 and results in a compromise of confidentiality and possibly availability of the internal environment.

Affected Systems

The product affected is the Postiz application from GitRoomhq (gitroomhq:postiz-app). Vulnerable versions are all releases prior to v2.21.3; a patch was issued in v2.21.3 to eliminate the SSRF flaw.

Risk and Exploitability

With a CVSS score of 8.3, the vulnerability is rated high severity. The EPSS score is below 1%, indicating a low current exploitation probability, yet the potential impact remains significant. The issue is not listed in CISA’s KEV catalog. The likely attack vector involves an authenticated API user sending a crafted URL to the upload-from-url endpoint. The absence of additional safeguards means that exploitation requires only the ability to authenticate and send a request to the vulnerable endpoint.

Generated by OpenCVE AI on April 7, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade Postiz to version 2.21.3 or later.
  • If an upgrade is not immediately possible, restrict access to the /public/v1/upload-from-url endpoint to trusted IP ranges only.
  • Implement an application‑level whitelist or blocklist for external URLs and disallow internal IP address ranges.
  • Monitor API activity for abnormal upload-from-url requests and review logs for attempts to reach internal or cloud metadata endpoints.

Generated by OpenCVE AI on April 7, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Gitroom
Gitroom postiz
CPEs cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*
Vendors & Products Gitroom
Gitroom postiz
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3.
Title Postiz: SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Gitroom Postiz
Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:57:33.241Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34576

cve-icon Vulnrichment

Updated: 2026-04-02T18:57:28.329Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:30.180

Modified: 2026-04-07T21:21:43.280

Link: CVE-2026-34576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:30Z

Weaknesses