{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40168", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T19:31:56.014Z", "datePublished": "2026-04-10T19:20:16.365Z", "dateUpdated": "2026-04-13T20:55:15.792Z"}, "containers": {"cna": {"title": "Postiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww"}, {"name": "https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06", "tags": ["x_refsource_MISC"], "url": "https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06"}, {"name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5"}], "affected": [{"vendor": "gitroomhq", "product": "postiz-app", "versions": [{"version": "< 2.21.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:20:16.365Z"}, "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource."}], "source": {"advisory": "GHSA-34w8-5j2v-h6ww", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:55:02.053732Z", "id": "CVE-2026-40168", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:55:15.792Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40168", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:55:02.053732Z"}}}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:55:11.223Z"}}], "cna": {"title": "Postiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream", "source": {"advisory": "GHSA-34w8-5j2v-h6ww", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gitroomhq", "product": "postiz-app", "versions": [{"status": "affected", "version": "< 2.21.5"}]}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww", "name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06", "name": "https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5", "name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:20:16.365Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40168", "state": "PUBLISHED", "dateUpdated": "2026-04-13T20:55:15.792Z", "dateReserved": "2026-04-09T19:31:56.014Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T19:20:16.365Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8244F9F-08C4-4279-883D-470D3C7145F8", "versionEndExcluding": "2.21.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource."}], "id": "CVE-2026-40168", "lastModified": "2026-04-14T20:09:03.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T20:16:22.643", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.21.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "postiz-app", "source": "cna", "vendor": "gitroomhq"}, "product": "postiz-app", "vendor": "gitroomhq"}], "analysis": {"en": {"generated_at": "2026-04-15T08:21:56.141351+00:00", "value": {"mitigation_remediation": ["Upgrade Postiz to version 2.21.5 or later.", "Restrict access to the /api/public/stream endpoint by firewall rules or authentication so that only trusted users or IPs can invoke it.", "Enable detailed logging of outgoing HTTPS requests from the server and monitor for unexpected internal host accesses."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the GitRoomHQ Postiz application before version 2.21.5. Any installations using prior releases that expose the /api/public/stream endpoint are at risk. No specific platform details are available beyond the Postiz app itself.", "description_and_impact": "The vulnerability is a server\u2011side request forgery that allows an attacker to force the application to retrieve a URL that initially appears valid but ultimately redirects to an internal host. Because the server reuses the initial validation without checking the final destination, it fetches the internal resource unimpeded. This flaw, classified as CWE\u2011918, permits unauthorized access to internal network services, potentially exposing sensitive data or allowing further internal exploitation. The attack can be performed remotely by sending a crafted request to the /api/public/stream endpoint.\n\nAffected systems include the GitRoomHQ Postiz application, versions released before 2.21.5. Any deployment of Postiz that has not applied the 2.21.5 update is vulnerable. The vulnerability applies to all installations where the /api/public/stream endpoint is exposed, regardless of user role.\n\nRisk assessment indicates a high severity score of 8.2 on CVSS, suggesting significant potential impact. The EPSS score is below 1%, implying a low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a remote HTTP request that passes initial validation but follows a redirect to an internal target.", "risk_and_exploitability": "The CVSS score of 8.2 reflects a high severity due to the potential for unauthorized internal network access. An attacker could exploit the flaw remotely by crafting a request that leverages server\u2011side redirects to reach internal services. The EPSS score of less than 1% suggests that the likelihood of exploitation remains low at present, and the vulnerability has not yet been listed in the CISA KEV catalog."}}}}, "created": "2026-04-13T12:42:47.283979+00:00", "updated": "2026-04-15T16:00:07.790255+00:00", "vendors": ["gitroomhq", "gitroomhq$PRODUCT$postiz-app"]}