CVE-2026-42298: Critical RCE in Postiz AI Scheduling Tool
The National Vulnerability Database has disclosed CVE-2026-42298, a critical remote code execution (RCE) vulnerability in Postiz, an AI social media scheduling tool. Prior to commit da44801, the ‘Build and Publish PR Docker Image’ workflow in pr-docker-build.yml allowed any unauthenticated user to execute arbitrary code during the Docker build process.
This flaw enabled the exfiltration of a highly privileged GITHUB_TOKEN with write-all permissions. Attackers could achieve this by simply opening a Pull Request from a fork containing a maliciously modified Dockerfile.dev. The National Vulnerability Database assigned this a CVSS score of 10.0 (CRITICAL).
The issue, categorized under CWE-94 (Improper Control of Generation of Code), has been patched by commit da44801. Organizations leveraging CI/CD pipelines, especially those involving public repositories and Docker builds, must understand the implications of such supply chain vectors.
What This Means For You
- If your organization uses Postiz, confirm that your instance is updated to a version containing commit `da44801` or later. Furthermore, this vulnerability is a stark reminder for CISOs to scrutinize their CI/CD security. Any workflow triggered by external pull requests, especially those that execute code or expose sensitive tokens, is a prime target. Attackers are constantly looking for ways to inject malicious code into build processes and leverage trusted credentials.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42298: Malicious PR Dockerfile in Postiz AI Scheduling Tool
title: CVE-2026-42298: Malicious PR Dockerfile in Postiz AI Scheduling Tool
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
Detects the execution of 'docker build' commands specifically within the context of the Postiz AI Scheduling Tool's PR Docker Image workflow (.github/workflows/pr-docker-build.yml). This targets the initial exploitation vector where a malicious Dockerfile.dev in a forked PR is used to execute arbitrary code during the Docker build process, as described in CVE-2026-42298.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42298/
tags:
- attack.initial_access
- attack.t1608.001
logsource:
category: process_creation
detection:
selection:
CommandLine|contains:
- 'docker build'
ParentImage|contains:
- '.github/workflows/pr-docker-build.yml'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42298 | RCE | Postiz AI social media scheduling tool |
| CVE-2026-42298 | RCE | Postiz prior to commit da44801 |
| CVE-2026-42298 | RCE | Vulnerable workflow: .github/workflows/pr-docker-build.yml |
| CVE-2026-42298 | RCE | Vulnerable file: Dockerfile.dev |
| CVE-2026-42298 | Information Disclosure | Exfiltration of GITHUB_TOKEN with write-all permissions |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 09, 2026 at 02:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...