CVE-2026-48781 | THREATINT

Description

Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.

PUBLISHED Reserved 2026-05-22 | Published 2026-06-16 | Updated 2026-06-16 | Assigner GitHub_M

CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-302: Authentication Bypass by Assumed-Immutable Data

CWE-345: Insufficient Verification of Data Authenticity

CWE-863: Incorrect Authorization

Product status

< 2.21.8

affected

References

github.com/...iz-app/security/advisories/GHSA-j77w-h625-56q2

github.com/...ommit/23696d2973510ae1f3f48bfa41a6bfbbf9827b05

gadvisory.org/advisories/PSA-2026-2CAQ96

github.com/gitroomhq/postiz-app/releases/tag/v2.21.8

cve.org (CVE-2026-48781)

nvd.nist.gov (CVE-2026-48781)

Download JSON