CVE-2026-48781
Received Received - Intake
Privilege Escalation to SUPERADMIN in Postiz AI Social Media Scheduler

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-48781
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
postiz postiz to 2.21.8 (exc)
gitroomhq postiz to 2.21.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-302 The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows any authenticated Postiz user to forge a SUPERADMIN session and impersonate arbitrary organizations, granting full access to all parts of the application, including user data and the ability to post on behalf of victims' social media channels.

Such unauthorized access and impersonation can lead to significant breaches of confidentiality, integrity, and availability of sensitive data, which are critical concerns under common standards and regulations like GDPR and HIPAA.

Specifically, the exposure and potential misuse of personal data and organizational information could violate GDPR's requirements for data protection and user consent, as well as HIPAA's mandates for safeguarding protected health information if applicable.

Therefore, this vulnerability poses a serious risk to compliance with these regulations by enabling unauthorized data access and manipulation.

Detection Guidance

There are no specific detection commands or network/system detection methods provided in the available resources for this vulnerability.

The vulnerability involves JWT forgery in the Postiz application prior to version 2.21.8, where the authentication middleware trusted claims in JWTs without re-resolving the user from the database.

The recommended mitigation is to upgrade to Postiz version 2.21.8 or later, which includes fixes to verify JWT signatures properly and re-resolve users from the database.

Executive Summary

The vulnerability in Postiz, an AI social media scheduling tool, involves the Skool integration callback signing an attacker-controlled JSON blob into a session-shaped JWT using the application's JWT_SECRET. The authentication middleware then trusted every claim in that JWT without re-verifying the user from the database.

This flaw allowed any authenticated Postiz user to forge a SUPERADMIN session and impersonate arbitrary organizations, effectively bypassing authentication and authorization controls.

The issue affected all versions prior to 2.21.8 and was fixed in version 2.21.8.

Impact Analysis

This vulnerability can have severe impacts as it grants full access to all parts of the Postiz application to an attacker who exploits it.

  • An attacker can forge a SUPERADMIN session.
  • They can impersonate arbitrary organizations within the Postiz instance.
  • They gain access to all registered users and their data.
  • They can post on behalf of victims' social media channels connected to Postiz.

Overall, this leads to a complete compromise of confidentiality, integrity, and availability of the affected Postiz instance.

Mitigation Strategies

The only effective mitigation for this vulnerability is to upgrade Postiz to version 2.21.8 or later, where the issue has been fixed.

No workarounds exist other than applying the patch provided in the fixed version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48781. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart