CRITICAL🇵🇱 Wersja polska

CVE-2026-42298

CVSS 10.0v3.1pub. 2026-05-08upd. 2026-06-01

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.

🤖 AI Analysis
How it works

A GitHub Actions workflow named 'Build and Publish PR Docker Image' (.github/workflows/pr-docker-build.yml) runs automatically in response to Pull Requests from external repository forks. An attacker can open a Pull Request from a fork where they have maliciously modified the Dockerfile.dev file. During automatic Docker image building in the context of the victim's repository, the injected code is executed with access to the GITHUB_TOKEN environment variable that has write-all permissions for all resources. This allows token exfiltration and further actions within the repository context.

Impact

An attacker can execute arbitrary code in the CI/CD environment, steal the GITHUB_TOKEN with write-all permissions, and then modify source code, publish malicious packages, manipulate releases, or gain access to repository secrets.

Mitigation & patch

The repository should be updated to a version containing commit da44801, which removes the vulnerable workflow configuration. Details available in the vendor's security advisory: GHSA-v975-9h5p-xhm4

Who is affected

Postiz application (postiz-app) in versions before commit da44801 — affects instances using the vulnerable GitHub Actions workflow (.github/workflows/pr-docker-build.yml)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Gitroom Postiz

    APP
    Gitroom
    < 2.21.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEContainer
CWE
References

Related vulnerabilities

CVE-2026-42556HIGH8.9ten sam produkt

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated ...

CVE-2026-40487HIGH8.9ten sam produkt

Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows ...

CVE-2026-40168HIGH8.2ten sam produkt

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable t...

CVE-2026-34576HIGH8.3ten sam produkt

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url end...

CVE-2026-34577HIGH8.6ten sam produkt

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in Publ...