HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48781Published Modified CNA GitHub_M

CVE-2026-48781: Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery

Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass and privilege escalation vulnerability in Postiz, an AI social media scheduling application. The flaw is reachable over the network by any low-privilege authenticated user, with no victim interaction required, because the Skool OAuth callback signs attacker-controlled data into a JWT using the application's own secret, and the middleware blindly trusts all claims in that token without checking the database. A successful attacker forges a SUPERADMIN session, gains full administrative access to the instance, reads all registered user data, and can post to any connected social media channel on behalf of any organization. A patched-image rebuild at version 2.21.8 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-48781 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Postiz, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 9.9 Critical and is capable of weighting it against each environment's compliance policy to determine urgency and routing. Per-organization routing rules can direct the alert to the appropriate team inbox automatically.

Available
Patch

A patched-image rebuild at Postiz 2.21.8 becomes available on HarborGuard the moment the upstream fix is confirmed, which it now is. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable Skool callback endpoint must be reachable over the network; an attacker sends a crafted HTTP request to it from any internet-accessible or internal network position.

  • AuthenticationRequired

    The attacker must hold a valid low-privilege Postiz account on the target instance; any standard registered user account is sufficient to trigger the callback and forge the JWT.

  • Victim interactionNot required

    No action from any other user or administrator is needed; the attacker exploits the callback endpoint entirely on their own.

  • Attack complexityDetail

    Exploit complexity is low: no race conditions, memory layout knowledge, or special environmental factors are required, making the attack reliable and repeatable.

Blast Radius

  • Attacker reads all user records registered to the Postiz instance, including account details and session data across every tenant.
  • Attacker gains full SUPERADMIN control over all organizations on the instance, overriding per-tenant access boundaries entirely.
  • Attacker posts arbitrary content to any social media channel connected to the instance in the name of any user or organization.
  • All three pillars of data security are fully compromised: confidentiality, integrity, and availability of the instance and its connected social accounts.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-48781 is active across all scan environments as soon as the advisory is ingested, typically within minutes of publication. Because a fix exists at version 2.21.8, a patched-image rebuild is available now for any customer environment found to be running an affected version of Postiz. For customers with auto-remediation enabled, HarborGuard can execute the full remediation flow automatically: rebuild the image at 2.21.8, run regression tests against the rebuilt image, and open a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues in environments with auto-remediation enabled. For environments where compliance policy requires manual review before patching, HarborGuard surfaces the finding with full CVSS context and routing to the appropriate team. While waiting for a rebuild to be promoted, consider isolating the Postiz instance behind network policy rules that restrict access to the Skool callback endpoint to trusted sources only.

See how HarborGuard automates this
Affected packages
  • gitroomhq / postiz-app
    < 2.21.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References