Description
Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.
Published: 2026-05-08
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Postiz’s build workflow permits an unauthenticated attacker to inject arbitrary code into the Docker build process by modifying Dockerfile.dev in a pull request. This results in the execution of attacker supplied commands during image construction and the exfiltration of a highly privileged GitHub token with write‑all permissions. Because the code runs with the privileges of the workflow, the attacker can compromise both confidentiality and integrity of the repository and any downstream services.

Affected Systems

The affected product is Postiz‑app from gitroomhq. The issue exists in all releases that include the original .github/workflows/pr‑docker‑build.yml prior to the patch commit da44801. Any user who opens a pull request from a fork containing a malicious Dockerfile.dev can trigger the vulnerability.

Risk and Exploitability

The CVSS score of 10 indicates critical severity. No EPSS data is available, and the vulnerability is not yet listed in CISA’s KEV catalog, but the attack vector requires only an unauthenticated pull request, making exploitation straightforward. The attacker needs only to host a fork with a tampered Dockerfile.dev and submit a PR to trigger the workflow.

Generated by OpenCVE AI on May 8, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit da44801 to update the pr-docker-build.yml workflow.
  • Restrict pull requests from forks or enforce code review and file whitelist before the workflow runs.
  • Reduce the scope of the GITHUB_TOKEN used in the workflow to only necessary permissions and consider using a dedicated token.

Generated by OpenCVE AI on May 8, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.
Title Postiz: Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:24:10.249Z

Reserved: 2026-04-26T12:13:55.552Z

Link: CVE-2026-42298

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:36.497

Modified: 2026-05-08T23:16:36.497

Link: CVE-2026-42298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses