Description
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can forge a JWT that the authentication middleware blindly accepts, allowing an authenticated user to impersonate any organization and gain full control of the Postiz instance, including user data and the ability to post to connected social media channels. This vulnerability is rooted in improper validation of JWT claims (CWE‑302, CWE‑345, CWE‑863).

Affected Systems

The Postiz AI social media scheduling tool (gitroomhq:postiz-app) running any version earlier than 2.21.8 is affected; all tenants on those installations are at risk.

Risk and Exploitability

With a CVSS score of 9.9 the risk is critical; the EPSS score is below 1%, indicating exploitation probability is low but not negligible, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires an authenticated user and a functional Skool integration callback, the attack vector is likely through a legitimate user’s workflow rather than remote code execution.

Generated by OpenCVE AI on June 17, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Postiz update to version 2.21.8 or later
  • If an upgrade is not immediately possible, disable the Skool integration for all tenants or block external callbacks that generate JWTs
  • Rotate the JWT secret used by Postiz to invalidate any existing forged tokens and confirm that authentication logic resolves users from the database before establishing a session
  • Review and harden JWT validation to reject claims that do not match database records

Generated by OpenCVE AI on June 17, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.
Title Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery
Weaknesses CWE-302
CWE-345
CWE-863
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T14:26:17.633Z

Reserved: 2026-05-22T20:18:20.365Z

Link: CVE-2026-48781

cve-icon Vulnrichment

Updated: 2026-06-18T14:26:11.610Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T19:30:11Z

Weaknesses
  • CWE-302

    Authentication Bypass by Assumed-Immutable Data

  • CWE-345

    Insufficient Verification of Data Authenticity

  • CWE-863

    Incorrect Authorization