CVE-2026-34577: CWE-918: Server-Side Request Forgery (SSRF) in gitroomhq postiz-app
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.
AI Analysis
Technical Summary
The postiz-app by gitroomhq has an SSRF vulnerability (CWE-918) in the GET /public/stream endpoint of PublicController. The endpoint accepts a user-controlled url query parameter and returns the proxied HTTP response. The validation only checks if the URL ends with 'mp4', which can be trivially bypassed by appending '.mp4' as a query parameter or fragment. Because the endpoint requires no authentication and lacks SSRF protections, attackers can exploit this to read responses from internal services and cloud metadata endpoints. The vulnerability is fixed in version 2.21.3.
Potential Impact
An unauthenticated attacker can exploit this SSRF vulnerability to access internal network resources and sensitive data such as cloud metadata, potentially leading to information disclosure. The vulnerability does not allow integrity or availability impacts but has a high confidentiality impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade the postiz-app to version 2.21.3 or later, where this SSRF vulnerability has been patched. Prior to upgrading, restrict access to the vulnerable endpoint if possible. Patch status is confirmed as an official fix in version 2.21.3.
CVE-2026-34577: CWE-918: Server-Side Request Forgery (SSRF) in gitroomhq postiz-app
Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The postiz-app by gitroomhq has an SSRF vulnerability (CWE-918) in the GET /public/stream endpoint of PublicController. The endpoint accepts a user-controlled url query parameter and returns the proxied HTTP response. The validation only checks if the URL ends with 'mp4', which can be trivially bypassed by appending '.mp4' as a query parameter or fragment. Because the endpoint requires no authentication and lacks SSRF protections, attackers can exploit this to read responses from internal services and cloud metadata endpoints. The vulnerability is fixed in version 2.21.3.
Potential Impact
An unauthenticated attacker can exploit this SSRF vulnerability to access internal network resources and sensitive data such as cloud metadata, potentially leading to information disclosure. The vulnerability does not allow integrity or availability impacts but has a high confidentiality impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade the postiz-app to version 2.21.3 or later, where this SSRF vulnerability has been patched. Prior to upgrading, restrict access to the vulnerable endpoint if possible. Patch status is confirmed as an official fix in version 2.21.3.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:56:30.998Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cea98de6bfc5ba1defd63e
Added to database: 4/2/2026, 5:38:21 PM
Last enriched: 4/9/2026, 10:45:58 PM
Last updated: 5/20/2026, 8:50:42 PM
Views: 81
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.