CVE-2026-34590: CWE-918: Server-Side Request Forgery (SSRF) in gitroomhq postiz-app
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.
AI Analysis
Technical Summary
The postiz-app before version 2.21.4 contains an SSRF vulnerability in the POST /webhooks/ endpoint. This endpoint uses WebhooksDto which only validates the URL format but does not block internal or private network addresses, unlike the update and test webhook endpoints that apply stricter validation. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF attacks against internal services. The issue was fixed in version 2.21.4 by adding proper validation to the creation endpoint.
Potential Impact
An attacker with permission to create webhooks can exploit this vulnerability to induce the server to send HTTP requests to internal or private network addresses, potentially accessing internal services that are otherwise inaccessible externally. The impact includes limited confidentiality and integrity loss but no availability impact. No known exploits are currently reported.
Mitigation Recommendations
This vulnerability is patched in postiz-app version 2.21.4. Users should upgrade to version 2.21.4 or later to ensure the @IsSafeWebhookUrl validator is applied on the webhook creation endpoint. No additional mitigation is required once the update is applied.
CVE-2026-34590: CWE-918: Server-Side Request Forgery (SSRF) in gitroomhq postiz-app
Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The postiz-app before version 2.21.4 contains an SSRF vulnerability in the POST /webhooks/ endpoint. This endpoint uses WebhooksDto which only validates the URL format but does not block internal or private network addresses, unlike the update and test webhook endpoints that apply stricter validation. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF attacks against internal services. The issue was fixed in version 2.21.4 by adding proper validation to the creation endpoint.
Potential Impact
An attacker with permission to create webhooks can exploit this vulnerability to induce the server to send HTTP requests to internal or private network addresses, potentially accessing internal services that are otherwise inaccessible externally. The impact includes limited confidentiality and integrity loss but no availability impact. No known exploits are currently reported.
Mitigation Recommendations
This vulnerability is patched in postiz-app version 2.21.4. Users should upgrade to version 2.21.4 or later to ensure the @IsSafeWebhookUrl validator is applied on the webhook creation endpoint. No additional mitigation is required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T17:15:52.499Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cead0fe6bfc5ba1df180a2
Added to database: 4/2/2026, 5:53:19 PM
Last enriched: 4/9/2026, 10:46:03 PM
Last updated: 5/20/2026, 8:50:01 PM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.