CVE-2026-34577

HIGH 8.6

Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check

CVSS Score

8.6

EPSS Score

0.1%

EPSS Percentile

26th

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.

CWE	CWE-918
Vendor	gitroomhq
Product	postiz-app
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for gitroomhq postiz-app

Be the first to know when new high vulnerabilities affecting gitroomhq postiz-app are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

gitroomhq / postiz-app

< 2.21.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-mv6h-v3jg-g539 github.com: https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3