CVE-2026-40168
Received Received - Intake
SSRF Vulnerability in Postiz /api/public/stream Endpoint

Publication date: 2026-04-10

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40168
EUVD
EUVD-2026-21571
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitroom postiz to 2.21.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized access to internal network resources and disclosure of sensitive internal data by streaming internal responses back to an attacker. This exposure of sensitive internal information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on the confidentiality and security of personal and sensitive data.

Since the SSRF vulnerability can expose internal admin interfaces, cloud metadata, and private services, it increases the risk of data breaches and unauthorized data access, which are critical concerns under these regulations.

Therefore, organizations using vulnerable versions of Postiz may face compliance risks if this vulnerability is exploited, potentially resulting in regulatory penalties or loss of trust.

Executive Summary

CVE-2026-40168 is a Server-Side Request Forgery (SSRF) vulnerability in the Postiz social media scheduling tool, specifically affecting the /api/public/stream endpoint in versions prior to 2.21.5.

The vulnerability arises because the application initially validates user-supplied HTTPS URLs to block private or internal hosts, but it does not re-validate the final destination after HTTP redirects.

An attacker can supply a public HTTPS URL that passes initial validation but responds with an HTTP redirect to an internal network address or service. Since the server follows redirects automatically without re-validation, it ends up making requests to internal-only resources.

This allows attackers to access internal resources that are not externally reachable, potentially exposing sensitive internal data or services.

Impact Analysis

This vulnerability can have significant impacts including unauthorized access to internal network resources that should be protected from external access.

  • Disclosure of sensitive internal data by streaming internal responses back to the attacker.
  • Exposure of internal admin interfaces, cloud metadata services, service discovery endpoints, or other private services.

Because the attack requires no privileges or user interaction and has a low attack complexity, it poses a high confidentiality risk.

Detection Guidance

This vulnerability involves the server following HTTP redirects from a user-supplied HTTPS URL without re-validating the final destination, potentially accessing internal resources. Detection involves monitoring requests to the /api/public/stream endpoint for unusual or unexpected redirects to internal IP addresses or hostnames.

Suggested detection methods include:

  • Inspect network logs or application logs for requests to /api/public/stream that result in server-side requests to private or internal IP ranges.
  • Use network monitoring tools to detect outbound HTTP(S) requests from the server to internal IP addresses that should not be accessed externally.
  • Run targeted tests by sending crafted HTTPS URLs to the vulnerable endpoint that redirect to internal IPs and observe if the server follows them.

Example commands to test or detect the vulnerability might include using curl or similar tools to send requests to the vulnerable endpoint with URLs that redirect internally, for example:

  • curl -X POST 'https://your-postiz-server/api/public/stream' -d '{"url":"https://public-url-that-redirects-to-internal"}' -H 'Content-Type: application/json'
  • Monitor server logs or responses for data indicating internal resource access.
Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade the postiz-app to version 2.21.5 or later, where the vulnerability is fixed.
  • Disable automatic following of HTTP redirects on the /api/public/stream endpoint or implement manual redirect handling with strict validation.
  • Implement re-validation of the hostname and IP address after every HTTP redirect to ensure the final destination is not an internal or private IP.
  • Enforce strict IP range checks on all resolved IP addresses to block private, loopback, link-local, multicast, and reserved IP ranges.
  • Consider restricting the endpoint to accept URLs only from a trusted allowlist of domains.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40168. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart