CVE-2026-42346
Deferred Deferred - Pending Action
Server-Side Request Forgery in Postiz AI Scheduler

Publication date: 2026-05-08

Last updated on: 2026-05-19

Assigner: GitHub, Inc.

Description
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-19
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42346
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
postiz postiz From 2.16.6 (inc) to 2.21.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Postiz, an AI social media scheduling tool, in versions from 2.16.6 up to but not including 2.21.7. It is a Time-of-Check-Time-of-Use (TOCTOU) issue affecting the Server-Side Request Forgery (SSRF) protections introduced between versions 2.21.4 and 2.21.6.

The function isSafePublicHttpsUrl() attempts to validate the target IP address by resolving DNS before allowing a request. However, the actual fetch() call that makes the request resolves DNS independently. This discrepancy allows an attacker who controls a DNS server to exploit DNS rebinding, redirecting requests to internal network addresses that should be protected.

This vulnerability was fixed in version 2.21.7.

Impact Analysis

An attacker exploiting this vulnerability can redirect server-side requests to internal network addresses by manipulating DNS responses. This can lead to unauthorized access to internal resources that are normally protected from external access.

The impact includes potential exposure of sensitive internal services or data, as the attacker can bypass SSRF protections and make the server perform requests to internal systems.

According to the CVSS score (6.5), the vulnerability has a high impact on confidentiality, a low impact on integrity, and no impact on availability.

Mitigation Strategies

The vulnerability is patched in Postiz version 2.21.7. The immediate step to mitigate this vulnerability is to upgrade Postiz to version 2.21.7 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart