Platform
nodejs
Component
postiz-app
Fixed in
2.21.3
CVE-2026-34577 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Postiz, an AI-powered social media scheduling tool. This flaw allows an unauthenticated attacker to proxy requests to internal services and cloud metadata endpoints, potentially exposing sensitive information. The vulnerability impacts versions of Postiz prior to 2.21.3 and has been addressed in the 2.21.3 release.
The SSRF vulnerability in Postiz allows attackers to bypass a weak validation check on the /public/stream endpoint. By appending .mp4 to a URL, an attacker can trick Postiz into making requests to arbitrary internal or external resources. This could lead to the exposure of sensitive data stored within the Postiz infrastructure, such as API keys, database credentials, or internal network configurations. Furthermore, attackers could potentially access cloud metadata endpoints (e.g., AWS instance metadata) to obtain information about the underlying infrastructure. The lack of authentication required for this endpoint significantly broadens the attack surface.
This vulnerability was publicly disclosed on 2026-04-02. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the lack of authentication make it a potential target for opportunistic attackers. The trivial bypass of the validation mechanism suggests a low barrier to entry for exploitation. No KEV listing is currently available.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34577 is to immediately upgrade Postiz to version 2.21.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /public/stream endpoint with suspicious URL parameters. Additionally, restrict network access to the Postiz server to only allow necessary outbound connections. Monitor access logs for unusual outbound requests originating from the /public/stream endpoint. After upgrading, verify the fix by attempting to access an internal resource via the /public/stream endpoint with a crafted URL; the request should be rejected.
Update Postiz to version 2.21.3 or later. This version fixes the SSRF vulnerability by enabling proper validation of user-provided URLs.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34577 is a HIGH severity SSRF vulnerability affecting Postiz social media scheduling tool versions prior to 2.21.3, allowing unauthenticated attackers to access internal resources.
You are affected if you are using Postiz version 2.21.3 or earlier. Immediately check your version and upgrade if necessary.
Upgrade Postiz to version 2.21.3 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to the /public/stream endpoint.
While no active exploitation campaigns have been publicly reported, the ease of exploitation makes it a potential target. Continuous monitoring is recommended.
Refer to the Postiz security advisory for details and further guidance: [https://postiz.com/security/advisories/CVE-2026-34577]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.