Back to overview

CVE-2026-48783

MEDIUM
4.8
CVSS 3.1
Description
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.

Metadata

CVE ID
CVE-2026-48783
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-22 20:18 UTC
Published
2026-06-16 21:38 UTC
Last updated
2026-06-17 12:43 UTC
Primary CWE
CWE-345
CWE-345: Insufficient Verification of Data Authenticity
Vendor / Product
gitroomhq / postiz-app
Sources
cve.org  ·  NVD

Severity & Metrics

4.8 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
gitroomhq postiz-app < 2.21.8
Weakness (CWE)
CWESourceDescription
CWE-345 cna CWE-345: Insufficient Verification of Data Authenticity
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CWE-749 cna CWE-749: Exposed Dangerous Method or Function
CWE-862 cna CWE-862: Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.8 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
References (4)
Back to overview