Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.
Published: 2026-04-02
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: SSRF Data Exfiltration
Action: Apply Patch
AI Analysis

Impact

This vulnerability exists in the GET /public/stream endpoint of Postiz. The endpoint accepts a user‑supplied url query parameter and forwards the full HTTP response to the client. Validation only checks that the supplied URL ends with .mp4, a check that can be bypassed by appending .mp4 as a query value or fragment. Because the endpoint is publicly accessible and lacks SSRF protections, an unauthenticated attacker can retrieve responses from internal services, cloud metadata endpoints, and other network‑internal resources. The effect is a server‑side request forgery that exposes confidential internal network data, potentially allowing further attacks against the host or surrounding infrastructure.

Affected Systems

Postiz, an AI social media scheduling application developed by GitRoomHQ. Versions earlier than 2.21.3 are affected.

Risk and Exploitability

The CVSS v3 score of 8.6 indicates high severity, reflecting the combination of unauthenticated access, high impact, and the ease of exploitation. Although EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog, the no‑auth boundary and trivial bypass make it likely that threat actors could exploit it. Attackers can target the endpoint directly over HTTP/HTTPS; the condition is minimal – simply request the endpoint with a crafted url parameter. Successful exploitation yields read access to arbitrary internal HTTP(S) resources.

Generated by OpenCVE AI on April 2, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Postiz to version 2.21.3 or later.
  • If upgrade is not immediately possible, restrict access to the /public/stream endpoint to trusted IPs or block the endpoint entirely using a firewall or reverse proxy.
  • Monitor outgoing requests from the application for unexpected URLs or patterns indicating SSRF activity.

Generated by OpenCVE AI on April 2, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.
Title Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T15:52:56.345Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34577

cve-icon Vulnrichment

Updated: 2026-04-03T15:52:48.309Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T18:16:30.347

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:17:21Z

Weaknesses