{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34577", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.998Z", "datePublished": "2026-04-02T17:24:33.725Z", "dateUpdated": "2026-04-03T15:52:56.345Z"}, "containers": {"cna": {"title": "Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-mv6h-v3jg-g539", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-mv6h-v3jg-g539"}, {"name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3"}], "affected": [{"vendor": "gitroomhq", "product": "postiz-app", "versions": [{"version": "< 2.21.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:24:33.725Z"}, "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3."}], "source": {"advisory": "GHSA-mv6h-v3jg-g539", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T15:52:16.506297Z", "id": "CVE-2026-34577", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:52:56.345Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34577", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T15:52:16.506297Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:52:48.309Z"}}], "cna": {"title": "Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check", "source": {"advisory": "GHSA-mv6h-v3jg-g539", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gitroomhq", "product": "postiz-app", "versions": [{"status": "affected", "version": "< 2.21.3"}]}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-mv6h-v3jg-g539", "name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-mv6h-v3jg-g539", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3", "name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:24:33.725Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34577", "state": "PUBLISHED", "dateUpdated": "2026-04-03T15:52:56.345Z", "dateReserved": "2026-03-30T16:56:30.998Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:24:33.725Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*", "matchCriteriaId": "D21ABC46-FB7C-419E-81AA-D0BDD64100CC", "versionEndExcluding": "2.21.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3."}], "id": "CVE-2026-34577", "lastModified": "2026-04-07T21:21:47.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:30.347", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-mv6h-v3jg-g539"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.21.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "postiz-app", "source": "cna", "vendor": "gitroomhq"}, "product": "postiz-app", "vendor": "gitroomhq"}], "analysis": {"en": {"generated_at": "2026-04-07T23:54:47.046753+00:00", "value": {"mitigation_remediation": ["Update Postiz to version 2.21.3 or later"], "summary": {"action": "Apply Patch", "impact": "Unauthenticated SSRF exposing internal services"}, "threat_synthesis": {"affected_systems": "Gitroomhq\u2019s Postiz application, specifically versions earlier than 2.21.3, is affected. The issue is fixed in release 2.21.3 and any later version.", "description_and_impact": "The vulnerability allows any user to supply a URL to the /public/stream endpoint and have the application fetch the full HTTP response, returning it to the requester. The only validation is a weak check that the URL ends with \".mp4\", which can be trivially bypassed by adding \".mp4\" as a query parameter or fragment. Because the endpoint is unauthenticated and lacks SSRF safeguards, an attacker can read data from internal services, cloud metadata endpoints, and other network resources that are reachable from the host. This weakness is a Server Side Request Forgery, allowing confidentiality compromise of internal systems.", "risk_and_exploitability": "The CVSS score of 8.6 indicates a high severity flaw. The EPSS score is below 1%, suggesting a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Since the endpoint requires no authentication and imposes no SSRF prevention, the attack can be carried out by anyone with access to the application\u2019s public interface, making the exposure straightforward for an adversary who discovers it."}}}}, "created": "2026-04-03T07:32:16.060753+00:00", "updated": "2026-04-08T19:55:29.412284+00:00", "vendors": ["gitroomhq", "gitroomhq$PRODUCT$postiz-app"]}