Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.
Published: 2026-04-02
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server‑Side Request Forgery via unvalidated webhook URLs
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the webhook creation endpoint of Postiz, where the supplied URL is only validated against a generic URL format. The missing safety check allows attackers to supply internal or private network addresses. When a post is published, the application retrieves this webhook URL without further validation and dereferences it, enabling a blind SSRF that can access services hidden behind the server’s network. Because the attacker has no feedback on the server’s response, the attack can be used to probe internal infrastructure or exfiltrate data from internal systems. The identified weakness corresponds to Category 918, Third‑Party Remote Address or URL Validation.

Affected Systems

The affected product is the AI social media scheduler Postiz developed by GitRoom HQ. Versions earlier than 2.21.4 implement the insecure endpoint. Versions 2.21.4 and later have the proper @IsSafeWebhookUrl validator in place for all webhook‑related routes.

Risk and Exploitability

The CVSS base score of 5.4 indicates medium severity. No EPSS value is provided, and the vulnerability is not listed in the CISA KEV catalog, implying that while the flaw is straightforward to exploit, it may not be widely used in the wild. The attack vector is internal, requiring the victim to be running a compromised Postiz instance. Attackers can reach any internal network resource that the server can contact, which could include databases, internal APIs, or management consoles. In the absence of additional defenses, a successful exploit would compromise the confidentiality and integrity of those internal services.

Generated by OpenCVE AI on April 2, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Postiz to version 2.21.4 or later to obtain the missing safe URL validation
  • If upgrading is not immediately possible, isolate the Postiz deployment from the internal network with firewall rules that block outbound requests to private IP ranges
  • Monitor for abnormal outbound traffic originating from the Postiz service and investigate any unexpected requests
  • Verify that the webhook creation endpoint is no longer accessible with unsafe URLs by attempting test submissions to internal addresses

Generated by OpenCVE AI on April 2, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.
Title Postiz: SSRF via Webhook Creation Endpoint Missing URL Safety Validation
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T15:49:51.856Z

Reserved: 2026-03-30T17:15:52.499Z

Link: CVE-2026-34590

cve-icon Vulnrichment

Updated: 2026-04-03T15:49:42.960Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T18:16:30.670

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:17:20Z

Weaknesses