CVE-2026-40168

HIGH

Postiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream

Title source: cna

Description

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.

References (3)

Scores

CVSS v3 8.2
EPSS 0.0006
EPSS Percentile 17.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Details

CWE
CWE-918
Status published
Products (2)
gitroom/postiz < 2.21.5
gitroomhq/postiz-app < 2.21.5
Published Apr 10, 2026
Tracked Since Apr 11, 2026