CVE-2026-48781
Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery
Description
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.
INFO
Published Date :
June 16, 2026, 9:31 p.m.
Last Modified :
June 16, 2026, 9:31 p.m.
Remotely Exploit :
Yes !
Source :
GitHub_M
Affected Products
The following products are affected by CVE-2026-48781
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | MITRE-CVE |
Solution
- Update Postiz to version 2.21.8.
- Verify JWT signing and claims validation.
- Rotate JWT secrets if compromised.
- Review user impersonation logs.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-48781 vulnerability anywhere in the article.