CVE-2026-48781
CRITICALPostiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery
Title source: cnaDescription
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-j77w-h625-56q2
X_Refsource_Misc x_refsource_misc
https://github.com/gitroomhq/postiz-app/commit/23696d2973510ae1f3f48bfa41a6bfbbf9827b05
X_Refsource_Misc x_refsource_misc
https://gadvisory.org/advisories/PSA-2026-2CAQ96
X_Refsource_Misc x_refsource_misc
http://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8
Scores
CVSS v3
9.9
EPSS
0.0026
EPSS Percentile
17.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-302
CWE-345
CWE-863
Status
published
Products (1)
gitroomhq/postiz-app
< 2.21.8
Published
Jun 17, 2026
Tracked Since
Jun 17, 2026