Description

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.

INFO

Published Date :

2026-04-02T17:24:33.725Z

Last Modified :

2026-04-02T17:24:33.725Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34577 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34577.

URL Resource
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3 cve-icon cve-icon
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-mv6h-v3jg-g539 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact