{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34576", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.998Z", "datePublished": "2026-04-02T17:23:14.827Z", "dateUpdated": "2026-04-02T18:57:33.241Z"}, "containers": {"cna": {"title": "Postiz: SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89vp-m2qw-7v34", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89vp-m2qw-7v34"}, {"name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3"}], "affected": [{"vendor": "gitroomhq", "product": "postiz-app", "versions": [{"version": "< 2.21.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:23:14.827Z"}, "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3."}], "source": {"advisory": "GHSA-89vp-m2qw-7v34", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:57:23.395181Z", "id": "CVE-2026-34576", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:57:33.241Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34576", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T18:57:23.395181Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:57:28.329Z"}}], "cna": {"title": "Postiz: SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata", "source": {"advisory": "GHSA-89vp-m2qw-7v34", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gitroomhq", "product": "postiz-app", "versions": [{"status": "affected", "version": "< 2.21.3"}]}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89vp-m2qw-7v34", "name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89vp-m2qw-7v34", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3", "name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:23:14.827Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34576", "state": "PUBLISHED", "dateUpdated": "2026-04-02T18:57:33.241Z", "dateReserved": "2026-03-30T16:56:30.998Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:23:14.827Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*", "matchCriteriaId": "D21ABC46-FB7C-419E-81AA-D0BDD64100CC", "versionEndExcluding": "2.21.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3."}], "id": "CVE-2026-34576", "lastModified": "2026-04-07T21:21:43.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:30.180", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89vp-m2qw-7v34"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.21.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "postiz-app", "source": "cna", "vendor": "gitroomhq"}, "product": "postiz-app", "vendor": "gitroomhq"}], "analysis": {"en": {"generated_at": "2026-04-07T23:30:48.715765+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to upgrade Postiz to version 2.21.3 or later.", "If an upgrade is not immediately possible, restrict access to the /public/v1/upload-from-url endpoint to trusted IP ranges only.", "Implement an application\u2011level whitelist or blocklist for external URLs and disallow internal IP address ranges.", "Monitor API activity for abnormal upload-from-url requests and review logs for attempts to reach internal or cloud metadata endpoints."], "summary": {"action": "Immediate Patch", "impact": "Remote Server Side Request Forgery exposing internal resources and cloud metadata"}, "threat_synthesis": {"affected_systems": "The product affected is the Postiz application from GitRoomhq (gitroomhq:postiz-app). Vulnerable versions are all releases prior to v2.21.3; a patch was issued in v2.21.3 to eliminate the SSRF flaw.", "description_and_impact": "This vulnerability arises from the POST /public/v1/upload-from-url endpoint in the Postiz AI social media scheduling tool. The server fetches the requested URL with axios.get() without any SSRF protection other than a trivial file extension filter. By appending an allowable image extension to any URL, an attacker can cause the server to retrieve arbitrary internal resources, access cloud instance metadata, and reach other internal services. The retrieved content is then stored and returned to the attacker, leading to potential information disclosure of internal network data and cloud configuration. The weakness corresponds to CWE\u2011918 and results in a compromise of confidentiality and possibly availability of the internal environment.", "risk_and_exploitability": "With a CVSS score of 8.3, the vulnerability is rated high severity. The EPSS score is below 1%, indicating a low current exploitation probability, yet the potential impact remains significant. The issue is not listed in CISA\u2019s KEV catalog. The likely attack vector involves an authenticated API user sending a crafted URL to the upload-from-url endpoint. The absence of additional safeguards means that exploitation requires only the ability to authenticate and send a request to the vulnerable endpoint."}}}}, "created": "2026-04-03T07:32:17.041207+00:00", "updated": "2026-04-08T19:55:30.473091+00:00", "vendors": ["gitroomhq", "gitroomhq$PRODUCT$postiz-app"]}