{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34590", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T17:15:52.499Z", "datePublished": "2026-04-02T17:26:58.902Z", "dateUpdated": "2026-04-03T15:49:51.856Z"}, "containers": {"cna": {"title": "Postiz: SSRF via Webhook Creation Endpoint Missing URL Safety Validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225"}, {"name": "https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480bca40a11", "tags": ["x_refsource_MISC"], "url": "https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480bca40a11"}, {"name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4"}], "affected": [{"vendor": "gitroomhq", "product": "postiz-app", "versions": [{"version": "< 2.21.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:26:58.902Z"}, "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4."}], "source": {"advisory": "GHSA-wc9c-7cv8-m225", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T15:49:11.229869Z", "id": "CVE-2026-34590", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:49:51.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34590", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T15:49:11.229869Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:49:42.960Z"}}], "cna": {"title": "Postiz: SSRF via Webhook Creation Endpoint Missing URL Safety Validation", "source": {"advisory": "GHSA-wc9c-7cv8-m225", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "gitroomhq", "product": "postiz-app", "versions": [{"status": "affected", "version": "< 2.21.4"}]}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225", "name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480bca40a11", "name": "https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480bca40a11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4", "name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:26:58.902Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34590", "state": "PUBLISHED", "dateUpdated": "2026-04-03T15:49:51.856Z", "dateReserved": "2026-03-30T17:15:52.499Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:26:58.902Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4."}], "id": "CVE-2026-34590", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:30.670", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480bca40a11"}, {"source": "security-advisories@github.com", "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.21.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "postiz-app", "source": "cna", "vendor": "gitroomhq"}, "product": "postiz-app", "vendor": "gitroomhq"}], "analysis": {"en": {"generated_at": "2026-04-02T22:30:26.692091+00:00", "value": {"mitigation_remediation": ["Upgrade Postiz to version 2.21.4 or later to obtain the missing safe URL validation", "If upgrading is not immediately possible, isolate the Postiz deployment from the internal network with firewall rules that block outbound requests to private IP ranges", "Monitor for abnormal outbound traffic originating from the Postiz service and investigate any unexpected requests", "Verify that the webhook creation endpoint is no longer accessible with unsafe URLs by attempting test submissions to internal addresses"], "summary": {"action": "Apply Patch", "impact": "Remote Server\u2011Side Request Forgery via unvalidated webhook URLs"}, "threat_synthesis": {"affected_systems": "The affected product is the AI social media scheduler Postiz developed by GitRoom HQ. Versions earlier than 2.21.4 implement the insecure endpoint. Versions 2.21.4 and later have the proper @IsSafeWebhookUrl validator in place for all webhook\u2011related routes.", "description_and_impact": "The vulnerability resides in the webhook creation endpoint of Postiz, where the supplied URL is only validated against a generic URL format. The missing safety check allows attackers to supply internal or private network addresses. When a post is published, the application retrieves this webhook URL without further validation and dereferences it, enabling a blind SSRF that can access services hidden behind the server\u2019s network. Because the attacker has no feedback on the server\u2019s response, the attack can be used to probe internal infrastructure or exfiltrate data from internal systems. The identified weakness corresponds to Category 918, Third\u2011Party Remote Address or URL Validation.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates medium severity. No EPSS value is provided, and the vulnerability is not listed in the CISA KEV catalog, implying that while the flaw is straightforward to exploit, it may not be widely used in the wild. The attack vector is internal, requiring the victim to be running a compromised Postiz instance. Attackers can reach any internal network resource that the server can contact, which could include databases, internal APIs, or management consoles. In the absence of additional defenses, a successful exploit would compromise the confidentiality and integrity of those internal services."}}}}, "created": "2026-04-03T07:32:15.084518+00:00", "updated": "2026-04-03T09:17:20.583811+00:00", "vendors": ["gitroomhq", "gitroomhq$PRODUCT$postiz-app"]}