CVE-2026-34577
SSRF Vulnerability in Postiz PublicController Allows Internal Data Access
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitroom | postiz | to 2.21.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34577 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Postiz AI social media scheduling tool, specifically in the GET /public/stream endpoint of the PublicController.
This endpoint accepts a user-supplied URL query parameter and proxies the full HTTP response back to the requester without authentication or proper validation.
The only validation performed is a simple check that the URL string ends with 'mp4', which can be easily bypassed by appending '.mp4' as a query parameter or URL fragment.
Because there are no SSRF protections or authentication, an attacker can use this flaw to make the server fetch and return responses from internal services, cloud metadata endpoints, or other network-internal resources.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including:
- Attackers can steal cloud credentials by accessing cloud metadata endpoints (e.g., AWS IAM credentials), potentially leading to full cloud account compromise.
- It allows internal network reconnaissance by reading responses from internal services such as databases, caches, and admin panels that are not exposed externally.
- Sensitive data can be exfiltrated from any HTTP-accessible internal resource.
- The stolen credentials or internal access can be used to perform lateral movement, privilege escalation, and further exploitation within the network.
- The vulnerability is easy to exploit since it requires no authentication or user interaction and works on default deployments.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable GET /public/stream endpoint with crafted URLs that exploit the SSRF issue. The endpoint accepts a user-supplied url query parameter and proxies the full HTTP response back without authentication or proper validation.
Example commands to test for the vulnerability include using curl to request internal or cloud metadata endpoints with a URL ending in .mp4 appended as a query parameter or fragment, which bypasses the weak validation:
- curl -s 'http://localhost:3000/public/stream?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/?x=.mp4' # Attempts to read AWS instance metadata
- curl -s 'http://localhost:3000/public/stream?url=http://localhost:6379/INFO?x=.mp4' # Attempts to scan internal Redis service
- curl -s 'http://localhost:3000/public/stream?url=http://internal-service:8080/admin?foo=.mp4' # Attempts to access internal admin panel
- curl -s 'http://localhost:3000/public/stream?url=file:///etc/passwd?x=.mp4' # Attempts to read local files if supported
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Postiz to version 2.21.3 or later, where this vulnerability has been patched.
The patch includes proper URL parsing and validation using the URL class, ensuring the pathname ends with .mp4, restricting allowed protocols to http and https, and applying a validator to block requests to private, localhost, and link-local IP ranges.
Until the upgrade can be applied, consider restricting access to the vulnerable endpoint (GET /public/stream) via network controls or firewall rules to prevent unauthenticated external access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access internal services and cloud metadata endpoints, potentially leading to theft of cloud credentials and exfiltration of sensitive data.
Such unauthorized access and data exposure could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information.
Specifically, the exposure of internal data and credentials increases the risk of data breaches, which are subject to mandatory reporting and can lead to legal and financial penalties under these standards.