Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.
Published: 2026-04-02
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SSRF exposing internal services
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows any user to supply a URL to the /public/stream endpoint and have the application fetch the full HTTP response, returning it to the requester. The only validation is a weak check that the URL ends with ".mp4", which can be trivially bypassed by adding ".mp4" as a query parameter or fragment. Because the endpoint is unauthenticated and lacks SSRF safeguards, an attacker can read data from internal services, cloud metadata endpoints, and other network resources that are reachable from the host. This weakness is a Server Side Request Forgery, allowing confidentiality compromise of internal systems.

Affected Systems

Gitroomhq’s Postiz application, specifically versions earlier than 2.21.3, is affected. The issue is fixed in release 2.21.3 and any later version.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity flaw. The EPSS score is below 1%, suggesting a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Since the endpoint requires no authentication and imposes no SSRF prevention, the attack can be carried out by anyone with access to the application’s public interface, making the exposure straightforward for an adversary who discovers it.

Generated by OpenCVE AI on April 7, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Postiz to version 2.21.3 or later

Generated by OpenCVE AI on April 7, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Gitroom
Gitroom postiz
CPEs cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*
Vendors & Products Gitroom
Gitroom postiz

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.
Title Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Gitroom Postiz
Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T15:52:56.345Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34577

cve-icon Vulnrichment

Updated: 2026-04-03T15:52:48.309Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:30.347

Modified: 2026-04-07T21:21:47.943

Link: CVE-2026-34577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:29Z

Weaknesses