Time-of-Check-Time-of-Use Vulnerability in Postiz AI Social Media Scheduling Tool
CVE-2026-42346

6.5MEDIUM

Key Information:

Vendor

Gitroomhq

Status
Postiz-app
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42346?

Postiz, an AI-powered social media scheduling tool, has a vulnerability related to its SSRF protections. In versions ranging from 2.16.6 up to and including 2.21.6, an attacker could potentially exploit a Time-of-Check-Time-of-Use (TOCTOU) flaw within the isSafePublicHttpsUrl() function. While the function performs DNS resolution to verify the target IP, subsequent fetch() calls execute independent DNS resolutions. This discrepancy allows a malicious actor controlling a DNS server to conduct DNS rebinding attacks, which could redirect requests intended for external addresses to internal network locations. This vulnerability has been addressed in version 2.21.7, demonstrating the importance of timely updates to maintain security.

Affected Version(s)

postiz-app >= 2.16.6, < 2.21.7

References

https://github.com/gitroomhq/postiz-app/security/advisori...
x_refsource_CONFIRM
https://github.com/gitroomhq/postiz-app/commit/071143dcb0...
x_refsource_MISC
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.