Description
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.
Published: 2026-06-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The endpoint /public/modify-subscription accepts a signed token but does not verify the token’s intended purpose. As a result, an unauthenticated requester can trigger subscription‑enforcement side effects on the organization referenced in the token’s claims. These side effects include disabling integrations that exceed the asserted plan’s limits, resetting the scheduled‑post cron for the free tier, and adjusting team‑member enablement state, but it cannot alter the persisted subscription tier.

Affected Systems

GitroomHQ’s Postiz application is affected; all releases older than version 2.21.8 are vulnerable. The issue was resolved in v2.21.8.

Risk and Exploitability

This is a moderate‑severity flaw with a CVSS score of 4.8 and an EPSS score of less than 1 %. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP(S) request to the public /public/modify-subscription endpoint with a crafted signed token. The impact is confined to the attacker’s own organization, so there is no tenant‑to‑tenant escalation, but the side‑effects can disrupt business operations and compliance.

Generated by OpenCVE AI on June 17, 2026 at 18:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Postiz to version 2.21.8 or later.
  • If an upgrade is not possible, restrict or disable the /public/modify-subscription endpoint to authenticated users only, or remove it entirely.
  • Review and re‑enable any integrations that were unintentionally disabled, verify team‑member enablement state, and reset the scheduled‑post cron to match the intended subscription tier.

Generated by OpenCVE AI on June 17, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.
Title Postiz has an unauthenticated billing-enforcement bypass via /public/modify-subscription
Weaknesses CWE-345
CWE-639
CWE-749
CWE-862
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T12:43:39.751Z

Reserved: 2026-05-22T20:18:20.365Z

Link: CVE-2026-48783

cve-icon Vulnrichment

Updated: 2026-06-17T12:43:29.893Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:45:10Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity

  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-749

    Exposed Dangerous Method or Function

  • CWE-862

    Missing Authorization