Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscription identifier from the untrusted request body, allowing a low-privileged account to grant arbitrary organizations lifetime PRO subscriptions without payment. This issue is fixed in version 2.21.8.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Gitroomhq
Gitroomhq postiz-app |
|
| Vendors & Products |
Gitroomhq
Gitroomhq postiz-app |
Wed, 15 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscription identifier from the untrusted request body, allowing a low-privileged account to grant arbitrary organizations lifetime PRO subscriptions without payment. This issue is fixed in version 2.21.8. | |
| Title | Postiz: Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook | |
| Weaknesses | CWE-345 CWE-639 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T18:01:49.289Z
Reserved: 2026-05-22T20:18:20.366Z
Link: CVE-2026-48799
Updated: 2026-07-15T18:01:45.596Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T22:00:06Z