CVE-2026-34577 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Postiz application, an AI-driven social media scheduling tool developed by gitroomhq. The flaw exists in the GET /public/stream endpoint within the PublicController, which accepts a user-supplied URL via the 'url' query parameter and proxies the entire HTTP response back to the requester. The endpoint performs minimal validation, only checking if the URL ends with 'mp4'. This validation is trivially bypassed by appending '.mp4' as a query parameter or URL fragment, allowing attackers to supply arbitrary URLs. Since the endpoint requires no authentication and lacks SSRF protections, attackers can exploit it to make the server perform HTTP requests to internal network resources, including sensitive cloud metadata endpoints (e.g., AWS, Azure, GCP metadata services) and other internal services not normally accessible externally. This can lead to unauthorized disclosure of sensitive information such as credentials, tokens, or configuration data. The vulnerability affects all versions of Postiz prior to 2.21.3, where the issue has been patched. The CVSS v3.1 base score is 8.6 (High), reflecting the ease of exploitation (network accessible, no privileges or user interaction required) and the high confidentiality impact. No known exploits in the wild have been reported as of the publication date. The vulnerability is categorized under CWE-918 (Server-Side Request Forgery).

The primary impact of this SSRF vulnerability is the unauthorized disclosure of sensitive internal information, which can severely compromise the confidentiality of organizational data. Attackers can leverage this flaw to access internal services that are otherwise inaccessible from the internet, including cloud provider metadata endpoints that often contain credentials or tokens for cloud resources. This can lead to further compromise of cloud infrastructure, lateral movement within internal networks, and potential data breaches. Since the vulnerability does not affect integrity or availability directly, its main risk lies in information leakage that can facilitate subsequent attacks. Organizations using vulnerable versions of Postiz risk exposure of sensitive internal data, which can undermine trust, lead to regulatory penalties, and cause operational disruptions if attackers escalate privileges or exfiltrate critical information.

Organizations should immediately upgrade Postiz to version 2.21.3 or later, where the SSRF vulnerability has been patched. Until upgrading, restrict access to the vulnerable endpoint by implementing network-level controls such as firewalls or web application firewalls (WAFs) to block suspicious or external requests targeting the GET /public/stream endpoint. Employ strict input validation and sanitization on any user-supplied URLs to ensure they cannot be manipulated to access internal resources. Additionally, implement network segmentation and restrict server access to internal services and cloud metadata endpoints to minimize the attack surface. Monitoring and logging HTTP requests to detect unusual proxying behavior can help identify exploitation attempts. Finally, review cloud provider IAM roles and metadata service configurations to enforce the principle of least privilege and reduce the impact of potential SSRF attacks.