Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.
Published: 2026-04-02
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) allowing internal network exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises because the /webhooks/ creation endpoint relies on only format validation for the URL field, omitting the safety check that blocks internal or private network addresses. As a result, when a post is published the orchestrator retrieves the configured webhook URL without any runtime safety validation, enabling a blind SSRF attack that can target internal services. The flaw could allow an attacker to read or influence internal network resources by crafting a malicious webhook URL.

Affected Systems

The affected product is Postiz, an AI‑powered social media scheduling platform from Gitroom HQ. Versions older than 2.21.4 contain the vulnerable endpoint; the update to v2.21.4 adds the necessary @IsSafeWebhookUrl validator to prevent this SSRF.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity, while the EPSS score below 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. A likely exploitation path involves creating a malicious webhook via the approved POST /webhooks/ endpoint, which the orchestrator later fetches blindly when a post is published, enabling internal network access.

Generated by OpenCVE AI on April 7, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Postiz to version 2.21.4 or later

Generated by OpenCVE AI on April 7, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Gitroom
Gitroom postiz
CPEs cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*
Vendors & Products Gitroom
Gitroom postiz

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.
Title Postiz: SSRF via Webhook Creation Endpoint Missing URL Safety Validation
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Gitroom Postiz
Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T15:49:51.856Z

Reserved: 2026-03-30T17:15:52.499Z

Link: CVE-2026-34590

cve-icon Vulnrichment

Updated: 2026-04-03T15:49:42.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:30.670

Modified: 2026-04-07T21:21:53.490

Link: CVE-2026-34590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:28Z

Weaknesses