AI Social Media Tool Vulnerability in Postiz by Gitroom
CVE-2026-48781

9.9CRITICAL

Key Information:

Vendor

Gitroomhq

Status
Postiz-app
Vendor
CVE Published:
16 June 2026

What is CVE-2026-48781?

A significant vulnerability exists in Postiz, an AI-driven social media scheduling tool. In versions before 2.21.8, a flaw in the Skool integration allowed attackers to manipulate a JSON blob, creating a forged session-shape JWT through the application’s JWT_SECRET. The authorization middleware improperly trusted every claim within this JWT, bypassing necessary user revalidation against the database. As a result, any authenticated user could gain SUPERADMIN privileges, potentially impersonating any organization linked to that instance of Postiz. This breach enabled unauthorized access to all functionalities of Postiz, including control over user accounts and the ability to post messages on behalf of victims' social media accounts. This critical issue has been addressed in version 2.21.8.

Affected Version(s)

postiz-app < 2.21.8

References

https://github.com/gitroomhq/postiz-app/security/advisori...
x_refsource_CONFIRM
https://github.com/gitroomhq/postiz-app/commit/23696d2973...
x_refsource_MISC
https://gadvisory.org/advisories/PSA-2026-2CAQ96
x_refsource_MISC

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.