The vulnerability CVE-2026-34590 affects gitroomhq's postiz-app, an AI social media scheduling tool, specifically versions prior to 2.21.4. The root cause is insufficient validation of webhook URLs submitted via the POST /webhooks/ endpoint. This endpoint uses WebhooksDto with only the @IsUrl() decorator, which validates the URL format but does not prevent URLs pointing to internal or private network addresses. In contrast, the update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply the @IsSafeWebhookUrl validator, which blocks such unsafe URLs. When a post is published, the orchestrator component fetches the stored webhook URL without performing runtime validation, enabling an attacker who can create webhooks to trigger SSRF attacks. This SSRF is blind, meaning the attacker does not receive direct response data but can cause the server to make requests to internal services, potentially exposing sensitive information or enabling further attacks such as internal port scanning or exploitation of internal APIs. The vulnerability requires the attacker to have privileges to create webhooks (PR:L) but does not require user interaction (UI:N). The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), and limited confidentiality and integrity impact (C:L/I:L), with no availability impact (A:N). No known exploits in the wild have been reported yet. The issue was reserved on 2026-03-30 and published on 2026-04-02, with a patch released in version 2.21.4 that adds proper validation to the POST /webhooks/ endpoint.

This SSRF vulnerability can allow attackers with webhook creation privileges to make the postiz-app server send unauthorized requests to internal or private network resources. Potential impacts include exposure of sensitive internal services, reconnaissance of internal network topology, and exploitation of other vulnerabilities in internal systems. Although the SSRF is blind, it can be leveraged for indirect attacks such as triggering actions on internal APIs or exfiltrating data via side channels. The confidentiality and integrity of internal systems are at risk, while availability impact is minimal. Organizations using vulnerable versions may face increased risk of lateral movement and internal network compromise if attackers gain webhook creation access. Since the vulnerability requires some privileges, the risk is mitigated if webhook creation is tightly controlled. However, in multi-tenant or less restrictive environments, the impact could be significant.

1. Upgrade postiz-app to version 2.21.4 or later where the vulnerability is patched. 2. Audit and restrict permissions for creating webhooks to trusted users only, minimizing the attack surface. 3. Review existing webhook URLs for any pointing to internal or private IP ranges and remove or correct them. 4. Implement network-level controls such as firewall rules or egress filtering to prevent the postiz-app server from making unauthorized requests to internal services. 5. Monitor webhook creation and usage logs for suspicious URLs or unusual activity. 6. If upgrading immediately is not possible, consider temporarily disabling webhook creation or restricting it via configuration. 7. Conduct internal penetration testing to verify no other SSRF vectors exist and that internal services are protected against unauthorized access.