CVE-2026-42346 MEDIUM

CVE-2026-42346: Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validation paths

Vendor Gitroomhq
Product postiz-app
Weakness CWE-918 · SSRF
Published May 8, 2026
Last update May 11, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 11, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-38212 Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS (10.8.1 and 10.7.1 only) CVE-2024-45479 Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost CVE-2025-47437 WordPress LiteSpeed Cache plugin <= 7.0.1 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-32857 Firecrawl Playwright Service SSRF Protection Bypass via Missing Post-Redirect Validation CVE-2026-24381 WordPress PhotoMe theme < 5.7.2 - Server Side Request Forgery (SSRF) vulnerability