CVE-2026-48781

CRITICAL 9.9

Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery

CVSS Score

9.9

EPSS Score

0.0%

EPSS Percentile

0th

Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.

CWE	CWE-302 CWE-345 CWE-863
Vendor	gitroomhq
Product	postiz-app
Published	Jun 16, 2026

Stay Ahead of the Next One

Get instant alerts for gitroomhq postiz-app

Be the first to know when new critical vulnerabilities affecting gitroomhq postiz-app are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

gitroomhq / postiz-app

< 2.21.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-j77w-h625-56q2 github.com: https://github.com/gitroomhq/postiz-app/commit/23696d2973510ae1f3f48bfa41a6bfbbf9827b05 gadvisory.org: https://gadvisory.org/advisories/PSA-2026-2CAQ96 github.com: http://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8