CVE-2026-40168
SSRF Vulnerability in Postiz /api/public/stream Endpoint
Publication date: 2026-04-10
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitroom | postiz | to 2.21.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40168 is a Server-Side Request Forgery (SSRF) vulnerability in the Postiz social media scheduling tool, specifically affecting the /api/public/stream endpoint in versions prior to 2.21.5.
The vulnerability arises because the application initially validates user-supplied HTTPS URLs to block private or internal hosts, but it does not re-validate the final destination after HTTP redirects.
An attacker can supply a public HTTPS URL that passes initial validation but responds with an HTTP redirect to an internal network address or service. Since the server follows redirects automatically without re-validation, it ends up making requests to internal-only resources.
This allows attackers to access internal resources that are not externally reachable, potentially exposing sensitive internal data or services.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including unauthorized access to internal network resources that should be protected from external access.
- Disclosure of sensitive internal data by streaming internal responses back to the attacker.
- Exposure of internal admin interfaces, cloud metadata services, service discovery endpoints, or other private services.
Because the attack requires no privileges or user interaction and has a low attack complexity, it poses a high confidentiality risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the server following HTTP redirects from a user-supplied HTTPS URL without re-validating the final destination, potentially accessing internal resources. Detection involves monitoring requests to the /api/public/stream endpoint for unusual or unexpected redirects to internal IP addresses or hostnames.
Suggested detection methods include:
- Inspect network logs or application logs for requests to /api/public/stream that result in server-side requests to private or internal IP ranges.
- Use network monitoring tools to detect outbound HTTP(S) requests from the server to internal IP addresses that should not be accessed externally.
- Run targeted tests by sending crafted HTTPS URLs to the vulnerable endpoint that redirect to internal IPs and observe if the server follows them.
Example commands to test or detect the vulnerability might include using curl or similar tools to send requests to the vulnerable endpoint with URLs that redirect internally, for example:
- curl -X POST 'https://your-postiz-server/api/public/stream' -d '{"url":"https://public-url-that-redirects-to-internal"}' -H 'Content-Type: application/json'
- Monitor server logs or responses for data indicating internal resource access.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade the postiz-app to version 2.21.5 or later, where the vulnerability is fixed.
- Disable automatic following of HTTP redirects on the /api/public/stream endpoint or implement manual redirect handling with strict validation.
- Implement re-validation of the hostname and IP address after every HTTP redirect to ensure the final destination is not an internal or private IP.
- Enforce strict IP range checks on all resolved IP addresses to block private, loopback, link-local, multicast, and reserved IP ranges.
- Consider restricting the endpoint to accept URLs only from a trusted allowlist of domains.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to internal network resources and disclosure of sensitive internal data by streaming internal responses back to an attacker. This exposure of sensitive internal information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on the confidentiality and security of personal and sensitive data.
Since the SSRF vulnerability can expose internal admin interfaces, cloud metadata, and private services, it increases the risk of data breaches and unauthorized data access, which are critical concerns under these regulations.
Therefore, organizations using vulnerable versions of Postiz may face compliance risks if this vulnerability is exploited, potentially resulting in regulatory penalties or loss of trust.