CVE-2026-48783 gitroomhq CVE debrief

Who should care

Administrators and users of Postiz, an AI social media scheduling tool, should be aware of this vulnerability if they are using versions prior to 2.21.8. This vulnerability could potentially allow attackers to manipulate certain settings within their own organization, although the impact is limited to the attacker's own organization.

Technical summary

The vulnerability exists in an unauthenticated endpoint, /public/modify-subscription, in Postiz versions prior to 2.21.8. This endpoint accepts a signed token and applies subscription-enforcement side effects to the organization referenced in the token's claims without verifying the token's intended purpose. Although the endpoint cannot change the persisted subscription tier, it can execute other side effects such as adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan is the free tier. The CVSS score for this vulnerability is 4.8, indicating a medium severity level.

Defensive priority

Medium

Recommended defensive actions

• Update Postiz to version 2.21.8 or later to fix the vulnerability.
• Review and monitor the /public/modify-subscription endpoint for any suspicious activity.
• Ensure that all team members are aware of this vulnerability and its potential impact.
• Consider implementing additional security measures to protect against unauthorized access.
• Regularly review and update Postiz to ensure you have the latest security patches.
• Monitor your organization's Postiz settings and subscription plans for any unauthorized changes.

Evidence notes

The information provided is based on the CVE-2026-48783 record and related sources. The vulnerability was published on June 17, 2026, and last modified on the same day. The CVSS score is 4.8, indicating a medium severity level. The vulnerability was fixed in Postiz version 2.21.8.

Official resources