Authentication Failure in Postiz AI Social Media Tool Exposes Subscription Management
CVE-2026-48799

7.7HIGH

Key Information:

Vendor

Gitroomhq

Vendor
CVE Published:
15 July 2026

What is CVE-2026-48799?

Prior to version 2.21.8, Postiz, an AI-driven social media scheduling application, failed to properly authenticate Nowpayments IPN callbacks against the shared secret provided by the payment provider. This oversight allowed low-privileged accounts to manipulate subscription identifiers within the untrusted request body, resulting in the potential for granting unauthorized lifetime PRO subscriptions to arbitrary organizations without the necessity for payment. The issue has been mitigated in version 2.21.8.

Affected Version(s)

postiz-app < 2.21.8

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.