Description
Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.
Published: 2026-05-08
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Postiz’s build workflow permits an unauthenticated attacker to inject arbitrary code into the Docker build process by modifying Dockerfile.dev in a pull request. This results in the execution of attacker supplied commands during image construction and the exfiltration of a highly privileged GitHub token with write‑all permissions. Because the code runs with the privileges of the workflow, the attacker can compromise both confidentiality and integrity of the repository and any downstream services.

Affected Systems

The affected product is Postiz‑app from gitroomhq. The issue exists in all releases that include the original .github/workflows/pr‑docker‑build.yml prior to the patch commit da44801. Any user who opens a pull request from a fork containing a malicious Dockerfile.dev can trigger the vulnerability.

Risk and Exploitability

The CVSS score of 10 indicates critical severity. No EPSS data is available, and the vulnerability is not yet listed in CISA’s KEV catalog, but the attack vector requires only an unauthenticated pull request, making exploitation straightforward. The attacker needs only to host a fork with a tampered Dockerfile.dev and submit a PR to trigger the workflow.

Generated by OpenCVE AI on May 8, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit da44801 to update the pr-docker-build.yml workflow.
  • Restrict pull requests from forks or enforce code review and file whitelist before the workflow runs.
  • Reduce the scope of the GITHUB_TOKEN used in the workflow to only necessary permissions and consider using a dedicated token.

Generated by OpenCVE AI on May 8, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitroom
Gitroom postiz
CPEs cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*
Vendors & Products Gitroom
Gitroom postiz

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.
Title Postiz: Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Gitroom Postiz
Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T18:02:03.832Z

Reserved: 2026-04-26T12:13:55.552Z

Link: CVE-2026-42298

cve-icon Vulnrichment

Updated: 2026-05-11T18:01:58.543Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T23:16:36.497

Modified: 2026-06-01T16:42:12.873

Link: CVE-2026-42298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses