Critical JWT Forgery Flaw in Postiz Enables SUPERADMIN Takeover
A critical vulnerability in Postiz allows any authenticated user to escalate privileges to SUPERADMIN by forging JWTs through the application's Skool integration callback. Tracked as CVE-2026-48781 and GHSA-j77w-h625-56q2, the flaw stems from attacker-controlled JSON being signed into a session-like token with the application's JWT_SECRET, while authentication logic trusted the token's claims without reloading the user record from the database.
The bug affects Postiz versions prior to 2.21.8 and enables cross-tenant takeover, arbitrary organization impersonation, full access across the affected instance, exposure of all registered users, and the ability to post through victims' connected social media accounts. The issue is rated CVSS 9.9 (Critical), was verified and patched by the vendor, and defenders are advised to upgrade to 2.21.8, rotate JWT secrets if compromise is suspected, and review logs for impersonation or unauthorized access activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Postiz fixes SUPERADMIN takeover flaw in version 2.21.8
Postiz verified a privilege-escalation vulnerability in the Skool integration callback and produced a fix on 2026-05-22. The issue was patched in Postiz version 2.21.8, with no workaround other than upgrading.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-48781 - Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery
cvefeed.io
Open sourceSUPERADMIN takeover via Skool-provider JWT forgery · Advisory · gitroomhq/postiz-app · GitHub
github.com
Open sourcePSA-2026-2CAQ96: SUPERADMIN takeover via Skool-provider JWT forgery - GAdvisory
gadvisory.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cal.com NextAuth JWT Session Update Authentication Bypass (CVE-2026-23478)
A **critical authentication bypass** in the Cal.com open-source scheduling platform allows remote attackers to **hijack arbitrary user accounts** by abusing a flaw in a custom *NextAuth* JWT callback used during session updates. Tracked as **CVE-2026-23478** (reported as **CVSS 10.0**), the issue affects Cal.com versions **>= 3.1.6 and < 6.0.7** and is exploitable over the network with minimal prerequisites—primarily knowledge of a victim’s email address. The weakness occurs when the session trigger is set to `"update"`, where Cal.com improperly accepts **client-controlled identity fields** and writes them into the JWT without server-side validation (mapped to issues such as **CWE-602** and **CWE-639**). An attacker can send a single API call like `session.update({ email: "victim@example.com" })` to produce a manipulated token that retains the attacker’s `sub` but swaps in the victim’s email; subsequent requests are treated as the victim because the application looks up users using the attacker-controlled `token.email` field. Successful exploitation yields full access to victim data and capabilities (bookings, event types, integrations, org membership, billing, and potentially admin privileges), and **2FA/external IdP associations do not mitigate** because the compromise occurs at the session token level; **Cal.com 6.0.7+** is cited as containing the fix.
Jun 29, 2026
Authentication Bypass in pac4j-jwt via Forged JWE/PlainJWT Claims
A **maximum-severity authentication bypass** was disclosed in *pac4j*’s JWT component (*pac4j-jwt*), tracked as **CVE-2026-29000**, affecting a widely used Java security engine embedded across many downstream software packages. The issue is a **logic flaw** that enables attackers to bypass authentication controls by crafting tokens/claims in a way that defeats expected verification, raising concern because exploitation can be relatively straightforward and the library’s transitive use complicates exposure tracking and patch rollout across dependent applications. Public **proof-of-concept (PoC)** code is available, and reporting indicates an attacker who can obtain a target server’s **RSA public key** (often publicly accessible) can forge a **JWE-wrapped PlainJWT** containing arbitrary `sub` and role claims to bypass signature verification and authenticate as any user, including administrators. The pac4j maintainer disclosed the defect and released patched versions shortly after private reporting; while there were no confirmed in-the-wild exploits at the time of reporting, defenders should expect downstream vendors and application owners to issue their own advisories and updates as they assess inherited risk from bundled pac4j versions.
Jun 29, 2026
Postiz patched unauthenticated SSRF flaws in public stream endpoints
Postiz, an AI social media scheduling tool, patched two **server-side request forgery** vulnerabilities affecting its public stream functionality. `CVE-2026-34577` exposed an unauthenticated flaw in `GET /public/stream`, where a user-controlled `url` parameter could cause the server to fetch and return the full HTTP response to the requester. The endpoint relied on an extension check requiring the URL to end in `mp4`, but that validation could be trivially bypassed, enabling access to internal services, cloud metadata endpoints, and other internal network resources. The issue was fixed in version **2.21.3** and assigned **CWE-918**.
Jun 29, 2026