{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40168/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-40168"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-40168","postiz"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePostiz is an AI-powered social media scheduling tool. Versions prior to 2.21.5 are susceptible to a Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-40168. The vulnerability exists in the \u003ccode\u003e/api/public/stream\u003c/code\u003e endpoint. The application validates the initially supplied URL and blocks direct access to private or internal hosts. However, it fails to re-validate the final destination after HTTP redirects. This flaw enables an attacker to bypass the initial validation by providing a public HTTPS URL that redirects to an internal resource. Successful exploitation can lead to information disclosure, internal service enumeration, and potentially further compromise of the Postiz infrastructure. The vulnerability was reported and patched in version 2.21.5.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the vulnerable \u003ccode\u003e/api/public/stream\u003c/code\u003e endpoint in Postiz.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL. This URL is a valid, publicly accessible HTTPS URL.\u003c/li\u003e\n\u003cli\u003eThe malicious URL is designed to redirect the request to an internal resource (e.g., \u003ccode\u003ehttp://127.0.0.1:8080/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted URL to the \u003ccode\u003e/api/public/stream\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003ePostiz server-side application validates the initial URL, which passes because it\u0026rsquo;s a public HTTPS address.\u003c/li\u003e\n\u003cli\u003eThe Postiz server-side application follows the HTTP redirect from the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe request is redirected to the internal resource (e.g., \u003ccode\u003ehttp://127.0.0.1:8080/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Postiz server makes a request to the internal resource, potentially revealing sensitive information or enabling further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40168 allows an attacker to perform Server-Side Request Forgery (SSRF) attacks against the Postiz application. This can lead to the exposure of sensitive internal resources, such as configuration files, internal APIs, or databases. An attacker might be able to enumerate internal services, read sensitive data, or even perform actions on behalf of the Postiz server. The severity of the impact depends on the nature of the accessible internal resources and could range from information disclosure to remote code execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Postiz to version 2.21.5 or later to patch CVE-2026-40168 as referenced in the Postiz release notes.\u003c/li\u003e\n\u003cli\u003eImplement strict URL validation and sanitization on the \u003ccode\u003e/api/public/stream\u003c/code\u003e endpoint. Ensure that validation occurs both before and after any HTTP redirects.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious requests to the \u003ccode\u003e/api/public/stream\u003c/code\u003e endpoint that may indicate SSRF attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual HTTP requests originating from the Postiz server to internal IP addresses or private network ranges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-postiz-ssrf/","summary":"Postiz, an AI social media scheduling tool, is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 2.21.5, allowing attackers to access internal resources.","title":"Postiz SSRF Vulnerability (CVE-2026-40168)","url":"https://feed.craftedsignal.io/briefs/2026-04-postiz-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40168","version":"https://jsonfeed.org/version/1.1"}