HIGH🇬🇧 English

CVE-2026-34577

CVSS 8.6v3.1pub. 2026-04-02upd. 2026-04-07

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  • Gitroom Postiz

    APP
    Gitroom
    < 2.21.3
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
SSRFAuth Bypass
CWE
Referencje

Powiązane podatności

CVE-2026-42298CRITICAL10.0PL ✓ten sam produkt

Postiz: wykonanie kodu w workflow GitHub Actions przez złośliwy Pull Request

CVE-2026-42556HIGH8.9ten sam produkt

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated ...

CVE-2026-40487HIGH8.9ten sam produkt

Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows ...

CVE-2026-40168HIGH8.2ten sam produkt

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable t...

CVE-2026-34576HIGH8.3ten sam produkt

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url end...