Vulnerability Description
Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/gitroomhq/postiz-app/commit/da448012dd87e94944cbe83a38e7fd023
- https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-v975-9h5p-xhm4
FAQ
What is CVE-2026-42298?
CVE-2026-42298 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows an...
How severe is CVE-2026-42298?
CVE-2026-42298 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-42298?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.