Authentication Failure in Postiz AI Social Media Tool Exposes Subscription Management
CVE-2026-48799
7.7HIGH
What is CVE-2026-48799?
Prior to version 2.21.8, Postiz, an AI-driven social media scheduling application, failed to properly authenticate Nowpayments IPN callbacks against the shared secret provided by the payment provider. This oversight allowed low-privileged accounts to manipulate subscription identifiers within the untrusted request body, resulting in the potential for granting unauthorized lifetime PRO subscriptions to arbitrary organizations without the necessity for payment. The issue has been mitigated in version 2.21.8.
Affected Version(s)
postiz-app < 2.21.8
