CVE-2026-48783
Received Received - Intake
Unauthenticated Subscription Enforcement in Postiz

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-48783
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitroomhq postiz 2.21.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48783 is a vulnerability in Postiz, an AI social media scheduling tool, affecting versions prior to 2.21.8. It involves an unauthenticated endpoint, /public/modify-subscription, which accepts a signed token and applies subscription-enforcement side effects to the organization referenced in the token's claims without verifying the token's intended purpose.

Although this endpoint cannot change the actual subscription tier, it can modify enforcement-related settings such as adjusting team-member enablement state, disabling integrations that exceed the asserted plan's limits, and resetting the scheduled-post cron when the plan is the free tier.

The impact of this vulnerability is limited to the attacker's own organization and cannot be redirected to affect other tenants.

Impact Analysis

This vulnerability allows an attacker to bypass subscription enforcement controls within their own organization on Postiz.

  • Adjust team-member enablement state, potentially enabling or disabling user access improperly.
  • Disable integrations that exceed the limits of the asserted subscription plan.
  • Reset the scheduled-post cron job if the asserted plan is the free tier, which could disrupt scheduled social media posts.

However, the vulnerability cannot be exploited to affect other organizations or tenants, limiting the scope of impact.

Detection Guidance

The vulnerability involves an unauthenticated endpoint /public/modify-subscription that accepts a signed token and applies subscription-enforcement side effects without verifying the token's intended purpose.

Detection could focus on monitoring or inspecting requests to the /public/modify-subscription endpoint, especially those that include signed tokens.

Since the vulnerability affects the attacker's own organization by adjusting team-member enablement, disabling integrations, or resetting scheduled-post crons, unusual changes in these areas could indicate exploitation.

However, no specific detection commands or signatures are provided in the available resources.

Mitigation Strategies

The primary and only effective mitigation is to upgrade Postiz to version 2.21.8 or later, where this vulnerability has been fixed.

No workarounds are available other than applying the patch.

Upgrading will ensure that the /public/modify-subscription endpoint properly verifies JWT signatures and re-resolves users from the database, preventing unauthorized subscription enforcement side effects.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48783. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart