Impact
An attacker can forge a JWT that the authentication middleware blindly accepts, allowing an authenticated user to impersonate any organization and gain full control of the Postiz instance, including user data and the ability to post to connected social media channels. This vulnerability is rooted in improper validation of JWT claims (CWE‑302, CWE‑345, CWE‑863).
Affected Systems
The Postiz AI social media scheduling tool (gitroomhq:postiz-app) running any version earlier than 2.21.8 is affected; all tenants on those installations are at risk.
Risk and Exploitability
With a CVSS score of 9.9 the risk is critical; the EPSS score is below 1%, indicating exploitation probability is low but not negligible, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires an authenticated user and a functional Skool integration callback, the attack vector is likely through a legitimate user’s workflow rather than remote code execution.
OpenCVE Enrichment