Webhooks URL Validation Flaw in Postiz AI Social Media Tool
CVE-2026-34590

5.4MEDIUM

Key Information:

Vendor

Gitroomhq

Status
Postiz-app
Vendor
CVE Published:
2 April 2026

What is CVE-2026-34590?

The Postiz AI social media scheduling tool features a security vulnerability due to insufficient URL validation for the creation of webhooks. Specifically, prior to version 2.21.4, the application relied solely on format checks (via @IsUrl()) for validating webhook URLs. This inadequate validation overlooked the inclusion of a critical check aimed at blocking internal or private network addresses, which could enable attackers to exploit the system. Upon publishing a post, the orchestrator retrieves the webhook URL without runtime validation, thus leaving the application susceptible to blind Server-Side Request Forgery (SSRF) attacks against internal services. This vulnerability has been mitigated in version 2.21.4.

Affected Version(s)

postiz-app < 2.21.4

References

https://github.com/gitroomhq/postiz-app/security/advisori...
x_refsource_CONFIRM
https://github.com/gitroomhq/postiz-app/commit/5ae4c950db...
x_refsource_MISC
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.