CVE-2026-42346
Deferred Deferred - Pending Action

Server-Side Request Forgery in Postiz AI Scheduler

Vulnerability report for CVE-2026-42346, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-05-19

Assigner: GitHub, Inc.

Description

Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-05-19
Generated
2026-07-09
AI Q&A
2026-05-09
EPSS Evaluated
2026-07-08
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
postiz postiz From 2.16.6 (inc) to 2.21.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Postiz, an AI social media scheduling tool, in versions from 2.16.6 up to but not including 2.21.7. It is a Time-of-Check-Time-of-Use (TOCTOU) issue affecting the Server-Side Request Forgery (SSRF) protections introduced between versions 2.21.4 and 2.21.6.

The function isSafePublicHttpsUrl() attempts to validate the target IP address by resolving DNS before allowing a request. However, the actual fetch() call that makes the request resolves DNS independently. This discrepancy allows an attacker who controls a DNS server to exploit DNS rebinding, redirecting requests to internal network addresses that should be protected.

This vulnerability was fixed in version 2.21.7.

Impact Analysis

An attacker exploiting this vulnerability can redirect server-side requests to internal network addresses by manipulating DNS responses. This can lead to unauthorized access to internal resources that are normally protected from external access.

The impact includes potential exposure of sensitive internal services or data, as the attacker can bypass SSRF protections and make the server perform requests to internal systems.

According to the CVSS score (6.5), the vulnerability has a high impact on confidentiality, a low impact on integrity, and no impact on availability.

Mitigation Strategies

The vulnerability is patched in Postiz version 2.21.7. The immediate step to mitigate this vulnerability is to upgrade Postiz to version 2.21.7 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart