Description

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.

INFO

Published Date :

2026-04-10T19:20:16.365Z

Last Modified :

2026-04-10T19:20:16.365Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40168 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40168.

URL Resource
https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06 cve-icon cve-icon
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5 cve-icon cve-icon
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact