Unauthenticated Endpoint Vulnerability in Postiz AI Social Media Scheduling Tool
CVE-2026-48783

4.8MEDIUM

Key Information:

Vendor

Gitroomhq

Status
Postiz-app
Vendor
CVE Published:
16 June 2026

What is CVE-2026-48783?

Postiz, an AI-driven social media scheduling tool, has a vulnerability in versions before 2.21.8 that features an unauthenticated endpoint. This endpoint, located at /public/modify-subscription, accepts signed tokens without validating their intended use. Although this issue does not permit changing subscription tiers, it allows attackers to trigger specific enforcement actions against their own organization, such as modifying team member access, disabling integrations that exceed their subscription plan, and resetting scheduled posts when on a free tier. This vulnerability's impact is confined to the attacker's organization, preventing exploitation against other users or tenants.

Affected Version(s)

postiz-app < 2.21.8

References

https://github.com/gitroomhq/postiz-app/security/advisori...
x_refsource_CONFIRM
https://github.com/gitroomhq/postiz-app/commit/23696d2973...
x_refsource_MISC
https://gadvisory.org/advisories/PSA-2026-WWFR8X
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.