CVE-2026-40168 HIGH

CVE-2026-40168: Postiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream

Vendor Gitroomhq
Product postiz-app
Weakness CWE-918 · SSRF
Published April 10, 2026
Last update April 13, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

What the vulnerability does

01Description

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.

Key dates

02Disclosure timeline

April 10, 2026 CVE published
April 13, 2026 Record updated