Executive Summary

CVE-2026-34577 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Postiz AI social media scheduling tool, specifically in the GET /public/stream endpoint of the PublicController.

This endpoint accepts a user-supplied URL query parameter and proxies the full HTTP response back to the requester without authentication or proper validation.

The only validation performed is a simple check that the URL string ends with 'mp4', which can be easily bypassed by appending '.mp4' as a query parameter or URL fragment.

Because there are no SSRF protections or authentication, an attacker can use this flaw to make the server fetch and return responses from internal services, cloud metadata endpoints, or other network-internal resources.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including:

• Attackers can steal cloud credentials by accessing cloud metadata endpoints (e.g., AWS IAM credentials), potentially leading to full cloud account compromise.
• It allows internal network reconnaissance by reading responses from internal services such as databases, caches, and admin panels that are not exposed externally.
• Sensitive data can be exfiltrated from any HTTP-accessible internal resource.
• The stolen credentials or internal access can be used to perform lateral movement, privilege escalation, and further exploitation within the network.
• The vulnerability is easy to exploit since it requires no authentication or user interaction and works on default deployments.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable GET /public/stream endpoint with crafted URLs that exploit the SSRF issue. The endpoint accepts a user-supplied url query parameter and proxies the full HTTP response back without authentication or proper validation.

Example commands to test for the vulnerability include using curl to request internal or cloud metadata endpoints with a URL ending in .mp4 appended as a query parameter or fragment, which bypasses the weak validation:

• curl -s 'http://localhost:3000/public/stream?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/?x=.mp4' # Attempts to read AWS instance metadata
• curl -s 'http://localhost:3000/public/stream?url=http://localhost:6379/INFO?x=.mp4' # Attempts to scan internal Redis service
• curl -s 'http://localhost:3000/public/stream?url=http://internal-service:8080/admin?foo=.mp4' # Attempts to access internal admin panel
• curl -s 'http://localhost:3000/public/stream?url=file:///etc/passwd?x=.mp4' # Attempts to read local files if supported

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Postiz to version 2.21.3 or later, where this vulnerability has been patched.

The patch includes proper URL parsing and validation using the URL class, ensuring the pathname ends with .mp4, restricting allowed protocols to http and https, and applying a validator to block requests to private, localhost, and link-local IP ranges.

Until the upgrade can be applied, consider restricting access to the vulnerable endpoint (GET /public/stream) via network controls or firewall rules to prevent unauthenticated external access.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to access internal services and cloud metadata endpoints, potentially leading to theft of cloud credentials and exfiltration of sensitive data.

Such unauthorized access and data exposure could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information.

Specifically, the exposure of internal data and credentials increases the risk of data breaches, which are subject to mandatory reporting and can lead to legal and financial penalties under these standards.

Useful 0 Not Useful 0