Plattform
nodejs
Komponente
postiz-app
Behoben in
2.21.6
CVE-2026-40168 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Postiz, an AI-powered social media scheduling tool. This flaw allows attackers to potentially access internal resources by manipulating HTTP redirects, bypassing initial URL validation. The vulnerability impacts versions 0.0.0 up to and including 2.21.5, and a patch is available in version 2.21.5.
The SSRF vulnerability in Postiz allows an attacker to craft a malicious URL that initially appears valid but redirects the application's server-side requests to internal resources. Because Postiz does not re-validate the final destination after the redirect, an attacker can effectively bypass the initial validation checks. This could lead to unauthorized access to internal APIs, databases, or other sensitive services that are not directly exposed to the internet. The potential impact includes data exfiltration, privilege escalation, and even complete compromise of the internal network, depending on the resources accessible via the SSRF vulnerability.
CVE-2026-40168 was publicly disclosed on 2026-04-10. There is no indication of active exploitation at this time, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but the HIGH CVSS score suggests a potential for exploitation if a PoC is developed.
Organizations utilizing Postiz for social media scheduling, particularly those with internal services accessible via HTTP(S), are at risk. Shared hosting environments where Postiz instances are deployed alongside other applications are also vulnerable, as a compromised Postiz instance could potentially be used to access other services on the same server.
• nodejs / server:
grep -r 'stream endpoint' /var/www/postiz/• generic web:
curl -I 'https://your-postiz-instance/api/public/stream?url=https://example.com/redirect' | grep 'Location:'disclosure
Exploit-Status
EPSS
0.06% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40168 is to immediately upgrade Postiz to version 2.21.5 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing suspicious redirects or to restrict outbound connections to internal IP addresses. Additionally, review Postiz's configuration to ensure that it is not configured to access sensitive internal resources unnecessarily. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked.
Aktualisieren Sie auf Version 2.21.5 oder höher, um die SSRF-Vulnerabilität zu beheben. Dieses Update validiert die Ziel-URL nach HTTP-Weiterleitungen erneut und verhindert so, dass der Server Anfragen an interne Ressourcen sendet.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40168 is a HIGH severity SSRF vulnerability affecting Postiz versions 0.0.0 through 2.21.5, allowing attackers to access internal resources via HTTP redirects.
If you are running Postiz version 2.21.5 or earlier, you are potentially affected by this SSRF vulnerability. Immediate action is required.
Upgrade Postiz to version 2.21.5 or later. As a temporary workaround, implement WAF rules and strengthen URL validation.
Active exploitation is currently unconfirmed, but the vulnerability's potential impact warrants immediate mitigation.
Refer to the Postiz security advisory for detailed information and updates regarding CVE-2026-40168: [https://postiz.com/security/advisories](https://postiz.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.