{"api_version":"1","generated_at":"2026-06-17T18:11:04+00:00","cve":"CVE-2026-48781","urls":{"html":"https://cve.report/CVE-2026-48781","api":"https://cve.report/api/cve/CVE-2026-48781.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48781","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48781"},"summary":{"title":"Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery","description":"Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-17 13:20:43","updated_at":"2026-06-17 16:18:00"},"problem_types":["CWE-302","CWE-345","CWE-863","CWE-302 CWE-302: Authentication Bypass by Assumed-Immutable Data","CWE-345 CWE-345: Insufficient Verification of Data Authenticity","CWE-863 CWE-863: Incorrect Authorization"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"9.9","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.9","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"http://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8","name":"http://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://gadvisory.org/advisories/PSA-2026-2CAQ96","name":"https://gadvisory.org/advisories/PSA-2026-2CAQ96","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/gitroomhq/postiz-app/commit/23696d2973510ae1f3f48bfa41a6bfbbf9827b05","name":"https://github.com/gitroomhq/postiz-app/commit/23696d2973510ae1f3f48bfa41a6bfbbf9827b05","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-j77w-h625-56q2","name":"https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-j77w-h625-56q2","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48781","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48781","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"gitroomhq","product":"postiz-app","version":"affected < 2.21.8","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"postiz-app","vendor":"gitroomhq","versions":[{"status":"affected","version":"< 2.21.8"}]}],"descriptions":[{"lang":"en","value":"Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-302","description":"CWE-302: Authentication Bypass by Assumed-Immutable Data","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-345","description":"CWE-345: Insufficient Verification of Data Authenticity","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-863","description":"CWE-863: Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-16T21:31:28.955Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-j77w-h625-56q2","tags":["x_refsource_CONFIRM"],"url":"https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-j77w-h625-56q2"},{"name":"https://github.com/gitroomhq/postiz-app/commit/23696d2973510ae1f3f48bfa41a6bfbbf9827b05","tags":["x_refsource_MISC"],"url":"https://github.com/gitroomhq/postiz-app/commit/23696d2973510ae1f3f48bfa41a6bfbbf9827b05"},{"name":"https://gadvisory.org/advisories/PSA-2026-2CAQ96","tags":["x_refsource_MISC"],"url":"https://gadvisory.org/advisories/PSA-2026-2CAQ96"},{"name":"http://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8","tags":["x_refsource_MISC"],"url":"http://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8"}],"source":{"advisory":"GHSA-j77w-h625-56q2","discovery":"UNKNOWN"},"title":"Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-48781","datePublished":"2026-06-16T21:31:28.955Z","dateReserved":"2026-05-22T20:18:20.365Z","dateUpdated":"2026-06-16T21:31:28.955Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-17 13:20:43","lastModifiedDate":"2026-06-17 16:18:00","problem_types":["CWE-302","CWE-345","CWE-863","CWE-302 CWE-302: Authentication Bypass by Assumed-Immutable Data","CWE-345 CWE-345: Insufficient Verification of Data Authenticity","CWE-863 CWE-863: Incorrect Authorization"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48781","Ordinal":"1","Title":"Postiz has cross-tenant SUPERADMIN takeover via Skool-provider J","CVE":"CVE-2026-48781","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48781","Ordinal":"1","NoteData":"Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.","Type":"Description","Title":"Postiz has cross-tenant SUPERADMIN takeover via Skool-provider J"}]}}}