📄 Description (English)
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3.
🤖 AI Executive Summary
Postiz versions prior to 2.21.3 contain a Server-Side Request Forgery (SSRF) vulnerability in the POST /public/v1/upload-from-url endpoint that allows authenticated API users to fetch internal network resources and cloud metadata without proper validation. The vulnerability bypasses file extension checks through URL path manipulation, enabling attackers to access sensitive internal services and exfiltrate data. With a CVSS score of 7.7 and publicly available exploits, this poses an immediate risk to organizations using Postiz for social media management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 17:51
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Postiz for social media management—particularly in government communications, banking digital marketing, healthcare public relations, and telecom sectors—face significant risk. Attackers could access internal network resources, ARAMCO/energy sector internal systems, SAMA banking infrastructure metadata, NCA government networks, and STC/telecom internal services. The vulnerability is particularly dangerous for organizations with Postiz instances connected to corporate networks or cloud environments, as it enables lateral movement and reconnaissance of internal infrastructure.
🏢 Affected Saudi Sectors
Government Communications
Banking and Financial Services
Healthcare
Energy and Utilities
Telecommunications
Media and Broadcasting
Retail and E-commerce
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Upgrade Postiz to version 2.21.3 or later immediately
2. Review API access logs for the POST /public/v1/upload-from-url endpoint to identify suspicious requests
3. Audit all uploaded files from this endpoint for the past 90 days to detect exfiltrated data
4. Revoke and rotate API keys for all users with access to the upload endpoint
5. Implement network segmentation to isolate Postiz instances from sensitive internal networks
PATCHING GUIDANCE:
- Deploy version 2.21.3 in a test environment first
- Verify patch effectiveness by testing URL validation with internal IP addresses and metadata endpoints
- Schedule production deployment during maintenance windows
COMPENSATING CONTROLS (if immediate patching not possible):
- Implement Web Application Firewall (WAF) rules to block requests to /public/v1/upload-from-url endpoint
- Restrict outbound network access from Postiz servers to only required external domains
- Disable the upload-from-url feature entirely until patching is complete
- Implement strict IP whitelisting for API access
- Monitor for suspicious URL patterns in request logs (internal IPs, metadata endpoints, localhost)
DETECTION RULES:
- Alert on POST requests to /public/v1/upload-from-url with URLs containing: 169.254.169.254, 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
- Monitor for file uploads with suspicious metadata or internal IP addresses in filenames
- Track API key usage patterns for unusual access to upload endpoint
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. ترقية Postiz إلى الإصدار 2.21.3 أو أحدث على الفور
2. مراجعة سجلات وصول API لنقطة النهاية POST /public/v1/upload-from-url لتحديد الطلبات المريبة
3. تدقيق جميع الملفات المرفوعة من هذه النقطة النهاية خلال آخر 90 يوماً للكشف عن البيانات المسربة
4. إلغاء وتدوير مفاتيح API لجميع المستخدمين الذين لديهم وصول إلى نقطة النهاية
5. تنفيذ تقسيم الشبكة لعزل مثيلات Postiz عن الشبكات الداخلية الحساسة
إرشادات التصحيح:
- نشر الإصدار 2.21.3 في بيئة الاختبار أولاً
- التحقق من فعالية التصحيح بواسطة اختبار التحقق من صحة URL مع عناوين IP الداخلية ونقاط نهاية البيانات الوصفية
- جدولة النشر في الإنتاج خلال نوافذ الصيانة
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
- تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات إلى نقطة النهاية /public/v1/upload-from-url
- تقييد الوصول الخارج من خوادم Postiz إلى النطاقات الخارجية المطلوبة فقط
- تعطيل ميزة upload-from-url بالكامل حتى يتم إكمال التصحيح
- تنفيذ قائمة بيضاء صارمة لعناوين IP لوصول API
- مراقبة أنماط URL المريبة في سجلات الطلبات (عناوين IP الداخلية، نقاط نهاية البيانات الوصفية، localhost)
قواعد الكشف:
- تنبيه على طلبات POST إلى /public/v1/upload-from-url مع عناوين URL تحتوي على: 169.254.169.254، 127.0.0.1، 10.0.0.0/8، 172.16.0.0/12، 192.168.0.0/16
- مراقبة تحميلات الملفات ببيانات وصفية مريبة أو عناوين IP داخلية في أسماء الملفات
- تتبع أنماط استخدام مفاتيح API للوصول غير المعتاد إلى نقطة النهاية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.8.1.1 - User access management
A.12.2.1 - Change management procedures
A.13.1.1 - Network security perimeter
A.14.2.1 - System development and maintenance
🔵 SAMA CSF
ID.AM-2 - Software platforms and applications are inventoried
PR.AC-1 - Identities and credentials are issued and managed
PR.DS-2 - Data-in-transit is protected
DE.CM-1 - The network is monitored for unauthorized connections
RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
A.5.1.1 - Information security policies
A.8.1.4 - Access management review
A.12.2.1 - Change management
A.13.1.3 - Segregation of networks
A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
Requirement 1.3 - Prohibit direct public access between the Internet and any system component
Requirement 6.5.10 - Broken authentication
Requirement 11.3 - Penetration testing
📦 Affected Products / CPE 1 entries
gitroom:postiz