CVE-2026-34590 MEDIUM

CVE-2026-34590: Postiz: SSRF via Webhook Creation Endpoint Missing URL Safety Validation

Vendor Gitroomhq
Product postiz-app
Weakness CWE-918 · SSRF
Published April 2, 2026
Last update April 3, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.

Key dates

02Disclosure timeline

April 2, 2026 CVE published
April 3, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-42404 Apache Neethi: Unrestricted HTTP Redirect Following in Policy References CVE-2026-0686 Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery CVE-2025-30914 WordPress Metform Elementor Contact Form Builder plugin <= 3.9.7 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview CVE-2026-31959 SSRF in Quill via unvalidated URL from Apple notarization log retrieval