CVE-2026-48783: CWE-345: Insufficient Verification of Data Authenticity in gitroomhq postiz-app
Postiz, an AI social media scheduling tool by gitroomhq, had a vulnerability in versions prior to 2.21.8 where an unauthenticated endpoint accepted a signed token without verifying its intended purpose. This allowed attackers to trigger subscription-enforcement side effects on their own organization, such as adjusting team-member enablement, disabling integrations, and resetting scheduled-post cron jobs. The vulnerability did not allow changing the subscription tier or affecting other organizations. The issue was fixed in version 2.21.8.
AI Analysis
Technical Summary
CVE-2026-48783 describes an insufficient verification of data authenticity vulnerability (CWE-345) in gitroomhq's postiz-app before version 2.21.8. The /public/modify-subscription endpoint accepted a signed token and applied subscription enforcement side effects based on the token's claims without verifying the token's intended purpose. While the subscription tier could not be changed, side effects such as enabling/disabling team members, disabling integrations exceeding plan limits, and resetting scheduled-post cron jobs could be triggered on the attacker's own organization. The vulnerability is limited to the attacker's organization and cannot be exploited to impact other tenants. The vulnerability has been fixed in version 2.21.8.
Potential Impact
The vulnerability allows an unauthenticated attacker to cause subscription enforcement side effects on their own organization, including adjusting team-member enablement, disabling integrations that exceed plan limits, and resetting scheduled-post cron jobs. There is no impact on confidentiality or the ability to affect other organizations. The subscription tier itself cannot be changed. The CVSS score is 4.8 (medium), reflecting limited impact and the requirement for network access without privileges.
Mitigation Recommendations
Upgrade to postiz-app version 2.21.8 or later, where this vulnerability has been fixed. Since the vulnerability is resolved in this version, no additional mitigation actions are required.
CVE-2026-48783: CWE-345: Insufficient Verification of Data Authenticity in gitroomhq postiz-app
Description
Postiz, an AI social media scheduling tool by gitroomhq, had a vulnerability in versions prior to 2.21.8 where an unauthenticated endpoint accepted a signed token without verifying its intended purpose. This allowed attackers to trigger subscription-enforcement side effects on their own organization, such as adjusting team-member enablement, disabling integrations, and resetting scheduled-post cron jobs. The vulnerability did not allow changing the subscription tier or affecting other organizations. The issue was fixed in version 2.21.8.
CVSS v3.1
Score 4.8medium
Affected software
pkg:github/gitroomhq/postiz-appRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48783 describes an insufficient verification of data authenticity vulnerability (CWE-345) in gitroomhq's postiz-app before version 2.21.8. The /public/modify-subscription endpoint accepted a signed token and applied subscription enforcement side effects based on the token's claims without verifying the token's intended purpose. While the subscription tier could not be changed, side effects such as enabling/disabling team members, disabling integrations exceeding plan limits, and resetting scheduled-post cron jobs could be triggered on the attacker's own organization. The vulnerability is limited to the attacker's organization and cannot be exploited to impact other tenants. The vulnerability has been fixed in version 2.21.8.
Potential Impact
The vulnerability allows an unauthenticated attacker to cause subscription enforcement side effects on their own organization, including adjusting team-member enablement, disabling integrations that exceed plan limits, and resetting scheduled-post cron jobs. There is no impact on confidentiality or the ability to affect other organizations. The subscription tier itself cannot be changed. The CVSS score is 4.8 (medium), reflecting limited impact and the requirement for network access without privileges.
Mitigation Recommendations
Upgrade to postiz-app version 2.21.8 or later, where this vulnerability has been fixed. Since the vulnerability is resolved in this version, no additional mitigation actions are required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-22T20:18:20.365Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a31c7a80b89be6888375f30
Added to database: 6/16/2026, 10:01:12 PM
Last enriched: 6/16/2026, 10:15:45 PM
Last updated: 6/17/2026, 4:21:51 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.