Server-Side Request Forgery Vulnerability in Postiz AI Social Media Tool
CVE-2026-40168

8.2HIGH

Key Information:

Vendor

Gitroomhq

Status
Postiz-app
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40168?

The Postiz AI social media scheduling tool has a vulnerability located in the /api/public/stream endpoint, which is susceptible to Server-Side Request Forgery (SSRF) in versions prior to 2.21.5. Although initial URL validation prevents direct access to private or internal hosts, it fails to re-validate the final destination after HTTP redirects. Consequently, an attacker could exploit this flaw by providing a public HTTPS URL that is initially validated, allowing redirection of server-side requests to internal resources that should otherwise remain protected.

Affected Version(s)

postiz-app < 2.21.5

References

https://github.com/gitroomhq/postiz-app/security/advisori...
x_refsource_CONFIRM
https://github.com/gitroomhq/postiz-app/commit/30e8b77709...
x_refsource_MISC
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.