Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
78 vulnerabilities by mastodon
CVE-2026-50129 (GCVE-0-2026-50129)
Vulnerability from cvelistv5 – Published: 2026-06-24 19:50 – Updated: 2026-06-24 19:50
VLAI
Title
Mastodon: Persistent anonymous DoS via unhandled NoMethodError in MATH_TRANSFORMER
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed <math> nodes can result in a DoS of a whole server or targeted users services, depending on the type of action that includes the malformed nodes and the services interacting with it. This vulnerability is fixed in 4.5.11, 4.4.18, and 4.3.24.
Severity
7.5 (High)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0-beta.1, \u003c 4.5.11"
},
{
"status": "affected",
"version": "\u003e= 4.4.0-beta.1, \u003c 4.4.18"
},
{
"status": "affected",
"version": "\u003c 4.3.24"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed \u003cmath\u003e nodes can result in a DoS of a whole server or targeted users services, depending on the type of action that includes the malformed nodes and the services interacting with it. This vulnerability is fixed in 4.5.11, 4.4.18, and 4.3.24."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T19:50:51.968Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-qrgq-9fx2-vf2r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-qrgq-9fx2-vf2r"
}
],
"source": {
"advisory": "GHSA-qrgq-9fx2-vf2r",
"discovery": "UNKNOWN"
},
"title": "Mastodon: Persistent anonymous DoS via unhandled NoMethodError in MATH_TRANSFORMER"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-50129",
"datePublished": "2026-06-24T19:50:51.968Z",
"dateReserved": "2026-06-03T18:49:32.275Z",
"dateUpdated": "2026-06-24T19:50:51.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50128 (GCVE-0-2026-50128)
Vulnerability from cvelistv5 – Published: 2026-06-24 19:48 – Updated: 2026-06-24 19:48
VLAI
Title
Mastodon: Spoofing of attribution domains
Summary
Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon’s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18.
Severity
5.3 (Medium)
CWE
- CWE-354 - Improper Validation of Integrity Check Value
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0-beta.1, \u003c 4.5.11"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.4.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon\u2019s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-354",
"description": "CWE-354: Improper Validation of Integrity Check Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T19:48:52.942Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-rwcw-vq68-g34p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-rwcw-vq68-g34p"
}
],
"source": {
"advisory": "GHSA-rwcw-vq68-g34p",
"discovery": "UNKNOWN"
},
"title": "Mastodon: Spoofing of attribution domains"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-50128",
"datePublished": "2026-06-24T19:48:52.942Z",
"dateReserved": "2026-06-03T18:49:32.275Z",
"dateUpdated": "2026-06-24T19:48:52.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48028 (GCVE-0-2026-48028)
Vulnerability from cvelistv5 – Published: 2026-06-24 19:43 – Updated: 2026-06-24 19:43
VLAI
Title
Mastodon: Removal of integrity-protected JSON entries from signed activities
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Severity
6.5 (Medium)
CWE
- CWE-354 - Improper Validation of Integrity Check Value
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0-beta.1, \u003c 4.5.10"
},
{
"status": "affected",
"version": "\u003e= 4.4.0-beta.1, \u003c 4.4.17"
},
{
"status": "affected",
"version": "\u003c 4.3.23"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon\u0027s normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-354",
"description": "CWE-354: Improper Validation of Integrity Check Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T19:43:01.469Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-53m7-2wrh-q839",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-53m7-2wrh-q839"
}
],
"source": {
"advisory": "GHSA-53m7-2wrh-q839",
"discovery": "UNKNOWN"
},
"title": "Mastodon: Removal of integrity-protected JSON entries from signed activities"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48028",
"datePublished": "2026-06-24T19:43:01.469Z",
"dateReserved": "2026-05-20T17:44:09.587Z",
"dateUpdated": "2026-06-24T19:43:01.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47389 (GCVE-0-2026-47389)
Vulnerability from cvelistv5 – Published: 2026-06-24 19:41 – Updated: 2026-06-24 19:41
VLAI
Title
Mastodon: SSRF protection bypass on older Ruby versions
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Severity
8.6 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0-beta.1, \u003c 4.5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T19:41:21.150Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6"
}
],
"source": {
"advisory": "GHSA-xx55-4rrg-8xg6",
"discovery": "UNKNOWN"
},
"title": "Mastodon: SSRF protection bypass on older Ruby versions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47389",
"datePublished": "2026-06-24T19:41:21.150Z",
"dateReserved": "2026-05-19T19:22:45.729Z",
"dateUpdated": "2026-06-24T19:41:21.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46349 (GCVE-0-2026-46349)
Vulnerability from cvelistv5 – Published: 2026-06-24 19:40 – Updated: 2026-06-24 19:40
VLAI
Title
Mastodon: LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to re-arrange a valid signed JSON-LD activity from a third-party actor to have it processed differently. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Severity
5.3 (Medium)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0-beta.1, \u003c 4.5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon\u0027s normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to re-arrange a valid signed JSON-LD activity from a third-party actor to have it processed differently. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T19:40:35.022Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-chgx-jx3p-rf73",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-chgx-jx3p-rf73"
}
],
"source": {
"advisory": "GHSA-chgx-jx3p-rf73",
"discovery": "UNKNOWN"
},
"title": "Mastodon: LD-Signature Bypass via JSON-LD Named-Graph Restructuring"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46349",
"datePublished": "2026-06-24T19:40:35.022Z",
"dateReserved": "2026-05-13T18:37:30.990Z",
"dateUpdated": "2026-06-24T19:40:35.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46348 (GCVE-0-2026-46348)
Vulnerability from cvelistv5 – Published: 2026-06-24 19:39 – Updated: 2026-06-24 19:39
VLAI
Title
Mastodon: SSRF Bypass via IPv6 Unspecified Address (::)
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make Mastodon perform HTTP requests against loopback interfaces, potentially allowing access to otherwise private resources and services. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0-beta.1, \u003c 4.5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make Mastodon perform HTTP requests against loopback interfaces, potentially allowing access to otherwise private resources and services. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T19:39:46.332Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-crr4-7rm4-8gpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-crr4-7rm4-8gpw"
}
],
"source": {
"advisory": "GHSA-crr4-7rm4-8gpw",
"discovery": "UNKNOWN"
},
"title": "Mastodon: SSRF Bypass via IPv6 Unspecified Address (::)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46348",
"datePublished": "2026-06-24T19:39:46.332Z",
"dateReserved": "2026-05-13T18:37:30.990Z",
"dateUpdated": "2026-06-24T19:39:46.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47777 (GCVE-0-2026-47777)
Vulnerability from cvelistv5 – Published: 2026-06-15 16:54 – Updated: 2026-06-15 18:51
VLAI
Title
Mastodon has a consent-check bypass in its remote Collections
Summary
Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/commit/22203… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T18:51:19.680491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T18:51:29.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= nightly.2026-03-10, \u003c 4.6.0-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental \"Collections\" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T16:54:44.612Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vg36-gxjg-2v46",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vg36-gxjg-2v46"
},
{
"name": "https://github.com/mastodon/mastodon/commit/22203f8aeb03e8f14dc62e253e83db39825a5bcf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/22203f8aeb03e8f14dc62e253e83db39825a5bcf"
}
],
"source": {
"advisory": "GHSA-vg36-gxjg-2v46",
"discovery": "UNKNOWN"
},
"title": "Mastodon has a consent-check bypass in its remote Collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47777",
"datePublished": "2026-06-15T16:54:44.612Z",
"dateReserved": "2026-05-19T22:36:16.883Z",
"dateUpdated": "2026-06-15T18:51:29.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41259 (GCVE-0-2026-41259)
Vulnerability from cvelistv5 – Published: 2026-04-23 18:55 – Updated: 2026-04-23 19:24
VLAI
Title
Mastodon: Insufficient verification of email addresses
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-841 - Improper Enforcement of Behavioral Workflow
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T19:23:56.034984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T19:24:15.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.22"
},
{
"status": "affected",
"version": "\u003e= 4.4.0-beta.1, \u003c 4.4.16"
},
{
"status": "affected",
"version": "\u003e= 4.5.0-beta.1, \u003c 4.5.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841: Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T18:55:20.854Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh"
}
],
"source": {
"advisory": "GHSA-5r37-qpwq-2jhh",
"discovery": "UNKNOWN"
},
"title": "Mastodon: Insufficient verification of email addresses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41259",
"datePublished": "2026-04-23T18:55:20.854Z",
"dateReserved": "2026-04-18T14:01:46.801Z",
"dateUpdated": "2026-04-23T19:24:15.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33869 (GCVE-0-2026-33869)
Vulnerability from cvelistv5 – Published: 2026-03-27 19:52 – Updated: 2026-03-27 20:29
VLAI
Title
Mastodon has a denial of service for quote authorization
Summary
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T20:29:10.346345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T20:29:18.521Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.8"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:52:21.166Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33"
}
],
"source": {
"advisory": "GHSA-q4g8-82c5-9h33",
"discovery": "UNKNOWN"
},
"title": "Mastodon has a denial of service for quote authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33869",
"datePublished": "2026-03-27T19:52:21.166Z",
"dateReserved": "2026-03-24T15:10:05.678Z",
"dateUpdated": "2026-03-27T20:29:18.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33868 (GCVE-0-2026-33868)
Vulnerability from cvelistv5 – Published: 2026-03-27 19:50 – Updated: 2026-03-31 18:54
VLAI
Title
Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T18:50:44.597749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:54:24.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.8"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.15"
},
{
"status": "affected",
"version": "\u003c 4.3.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:50:07.687Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6"
}
],
"source": {
"advisory": "GHSA-xqw8-4j56-5hj6",
"discovery": "UNKNOWN"
},
"title": "Mastodon has a GET-Based Open Redirect via \u0027/web/%2F\u003cdomain\u003e\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33868",
"datePublished": "2026-03-27T19:50:07.687Z",
"dateReserved": "2026-03-24T15:10:05.678Z",
"dateUpdated": "2026-03-31T18:54:24.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27477 (GCVE-0-2026-27477)
Vulnerability from cvelistv5 – Published: 2026-02-24 19:00 – Updated: 2026-02-26 19:29
VLAI
Title
Mastodon has SSRF via unvalidated FASP Provider base_url
Summary
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/commit/7b85d… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T19:10:24.251802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T19:29:12.052Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.14"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental \"fasp\" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T19:00:20.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm"
},
{
"name": "https://github.com/mastodon/mastodon/commit/7b85d2182361e68d51d9a02f94fb1070b5f503b1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/7b85d2182361e68d51d9a02f94fb1070b5f503b1"
}
],
"source": {
"advisory": "GHSA-46w6-g98f-wxqm",
"discovery": "UNKNOWN"
},
"title": "Mastodon has SSRF via unvalidated FASP Provider base_url"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27477",
"datePublished": "2026-02-24T19:00:20.590Z",
"dateReserved": "2026-02-19T19:46:03.539Z",
"dateUpdated": "2026-02-26T19:29:12.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27468 (GCVE-0-2026-27468)
Vulnerability from cvelistv5 – Published: 2026-02-24 17:12 – Updated: 2026-02-27 20:50
VLAI
Title
Mastodon may allow unconfirmed FASP to make subscriptions
Summary
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not check properly whether the FASP was actually approved. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can make subscriptions and request content backfill without approval by an administrator. Done once, this leads to minor information leak of URIs that are publicly available anyway. But done several times this is a serious vector for DOS, putting pressure on the sidekiq worker responsible for the `fasp` queue. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/commit/6ba62… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27468",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T20:50:45.668446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:50:52.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.14"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not check properly whether the FASP was actually approved. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can make subscriptions and request content backfill without approval by an administrator. Done once, this leads to minor information leak of URIs that are publicly available anyway. But done several times this is a serious vector for DOS, putting pressure on the sidekiq worker responsible for the `fasp` queue. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental \"fasp\" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T17:12:40.349Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-qgmm-vr4c-ggjg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-qgmm-vr4c-ggjg"
},
{
"name": "https://github.com/mastodon/mastodon/commit/6ba6285a73c3a8b281123814d45f534e3bcebb96",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/6ba6285a73c3a8b281123814d45f534e3bcebb96"
}
],
"source": {
"advisory": "GHSA-qgmm-vr4c-ggjg",
"discovery": "UNKNOWN"
},
"title": "Mastodon may allow unconfirmed FASP to make subscriptions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27468",
"datePublished": "2026-02-24T17:12:40.349Z",
"dateReserved": "2026-02-19T17:25:31.101Z",
"dateUpdated": "2026-02-27T20:50:52.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25540 (GCVE-0-2026-25540)
Vulnerability from cvelistv5 – Published: 2026-02-04 21:42 – Updated: 2026-02-05 18:30
VLAI
Title
Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-524 - Use of Cache Containing Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25540",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T18:30:03.654017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T18:30:11.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.19"
},
{
"status": "affected",
"version": "\u003c 4.4.13"
},
{
"status": "affected",
"version": "\u003c 4.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:42:09.460Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr"
}
],
"source": {
"advisory": "GHSA-ccpr-m53r-mfwr",
"discovery": "UNKNOWN"
},
"title": "Mastodon\u0027s signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25540",
"datePublished": "2026-02-04T21:42:09.460Z",
"dateReserved": "2026-02-02T19:59:47.375Z",
"dateUpdated": "2026-02-05T18:30:11.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23964 (GCVE-0-2026-23964)
Vulnerability from cvelistv5 – Published: 2026-01-22 01:55 – Updated: 2026-01-22 17:02
VLAI
Title
Mastodon has insufficient access control to push notification settings
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T16:55:30.907556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T17:02:23.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.18"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.12"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user\u0027s push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T01:55:29.904Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5"
}
],
"source": {
"advisory": "GHSA-f3q8-7vw3-69v4",
"discovery": "UNKNOWN"
},
"title": "Mastodon has insufficient access control to push notification settings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23964",
"datePublished": "2026-01-22T01:55:29.904Z",
"dateReserved": "2026-01-19T14:49:06.313Z",
"dateUpdated": "2026-01-22T17:02:23.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23963 (GCVE-0-2026-23963)
Vulnerability from cvelistv5 – Published: 2026-01-22 01:53 – Updated: 2026-01-22 17:32
VLAI
Title
Mastodon missing length limits on list names, filter names, and filter keywords
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T17:30:37.333794Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T17:32:13.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.18"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.12"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T01:53:49.887Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5"
}
],
"source": {
"advisory": "GHSA-6x3w-9g92-gvf3",
"discovery": "UNKNOWN"
},
"title": "Mastodon missing length limits on list names, filter names, and filter keywords"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23963",
"datePublished": "2026-01-22T01:53:49.887Z",
"dateReserved": "2026-01-19T14:49:06.313Z",
"dateUpdated": "2026-01-22T17:32:13.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23962 (GCVE-0-2026-23962)
Vulnerability from cvelistv5 – Published: 2026-01-22 01:51 – Updated: 2026-01-22 21:35
VLAI
Title
Mastodon vulnerable to Denial of Service from a single post (client/server)
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T21:34:54.544661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T21:35:41.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.18"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.12"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T01:51:37.430Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5"
}
],
"source": {
"advisory": "GHSA-gg8q-rcg7-p79g",
"discovery": "UNKNOWN"
},
"title": "Mastodon vulnerable to Denial of Service from a single post (client/server)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23962",
"datePublished": "2026-01-22T01:51:37.430Z",
"dateReserved": "2026-01-19T14:49:06.313Z",
"dateUpdated": "2026-01-22T21:35:41.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23961 (GCVE-0-2026-23961)
Vulnerability from cvelistv5 – Published: 2026-01-22 01:47 – Updated: 2026-01-22 21:38
VLAI
Title
Mastodon may allow a remote suspension bypass
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T21:38:41.339884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T21:38:52.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.18"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.12"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T01:47:36.828Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5"
}
],
"source": {
"advisory": "GHSA-5h2f-wg8j-xqwp",
"discovery": "UNKNOWN"
},
"title": "Mastodon may allow a remote suspension bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23961",
"datePublished": "2026-01-22T01:47:36.828Z",
"dateReserved": "2026-01-19T14:49:06.313Z",
"dateUpdated": "2026-01-22T21:38:52.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22246 (GCVE-0-2026-22246)
Vulnerability from cvelistv5 – Published: 2026-01-08 15:27 – Updated: 2026-01-08 15:54
VLAI
Title
Local Mastodon users can enumerate and access severed relationships of every other local user
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/commit/68e30… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/commit/b2bcd… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/commit/c1fb6… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T15:51:57.907032Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T15:54:24.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.17"
},
{
"status": "affected",
"version": "\u003e= 4.4.0-beta.1, \u003c 4.4.11"
},
{
"status": "affected",
"version": "\u003e= 4.5.0-beta.1, \u003c 4.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T15:27:21.490Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24"
},
{
"name": "https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076"
},
{
"name": "https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf"
},
{
"name": "https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57"
}
],
"source": {
"advisory": "GHSA-ww85-x9cp-5v24",
"discovery": "UNKNOWN"
},
"title": "Local Mastodon users can enumerate and access severed relationships of every other local user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22246",
"datePublished": "2026-01-08T15:27:21.490Z",
"dateReserved": "2026-01-07T05:19:12.921Z",
"dateUpdated": "2026-01-08T15:54:24.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47777 (GCVE-0-2026-47777)
Vulnerability from nvd – Published: 2026-06-15 16:54 – Updated: 2026-06-15 18:51
VLAI
Title
Mastodon has a consent-check bypass in its remote Collections
Summary
Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/commit/22203… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T18:51:19.680491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T18:51:29.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= nightly.2026-03-10, \u003c 4.6.0-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental \"Collections\" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T16:54:44.612Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vg36-gxjg-2v46",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vg36-gxjg-2v46"
},
{
"name": "https://github.com/mastodon/mastodon/commit/22203f8aeb03e8f14dc62e253e83db39825a5bcf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/22203f8aeb03e8f14dc62e253e83db39825a5bcf"
}
],
"source": {
"advisory": "GHSA-vg36-gxjg-2v46",
"discovery": "UNKNOWN"
},
"title": "Mastodon has a consent-check bypass in its remote Collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47777",
"datePublished": "2026-06-15T16:54:44.612Z",
"dateReserved": "2026-05-19T22:36:16.883Z",
"dateUpdated": "2026-06-15T18:51:29.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41259 (GCVE-0-2026-41259)
Vulnerability from nvd – Published: 2026-04-23 18:55 – Updated: 2026-04-23 19:24
VLAI
Title
Mastodon: Insufficient verification of email addresses
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-841 - Improper Enforcement of Behavioral Workflow
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T19:23:56.034984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T19:24:15.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.22"
},
{
"status": "affected",
"version": "\u003e= 4.4.0-beta.1, \u003c 4.4.16"
},
{
"status": "affected",
"version": "\u003e= 4.5.0-beta.1, \u003c 4.5.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841: Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T18:55:20.854Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh"
}
],
"source": {
"advisory": "GHSA-5r37-qpwq-2jhh",
"discovery": "UNKNOWN"
},
"title": "Mastodon: Insufficient verification of email addresses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41259",
"datePublished": "2026-04-23T18:55:20.854Z",
"dateReserved": "2026-04-18T14:01:46.801Z",
"dateUpdated": "2026-04-23T19:24:15.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33868 (GCVE-0-2026-33868)
Vulnerability from nvd – Published: 2026-03-27 19:50 – Updated: 2026-03-31 18:54
VLAI
Title
Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T18:50:44.597749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:54:24.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.8"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.15"
},
{
"status": "affected",
"version": "\u003c 4.3.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:50:07.687Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6"
}
],
"source": {
"advisory": "GHSA-xqw8-4j56-5hj6",
"discovery": "UNKNOWN"
},
"title": "Mastodon has a GET-Based Open Redirect via \u0027/web/%2F\u003cdomain\u003e\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33868",
"datePublished": "2026-03-27T19:50:07.687Z",
"dateReserved": "2026-03-24T15:10:05.678Z",
"dateUpdated": "2026-03-31T18:54:24.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33869 (GCVE-0-2026-33869)
Vulnerability from nvd – Published: 2026-03-27 19:52 – Updated: 2026-03-27 20:29
VLAI
Title
Mastodon has a denial of service for quote authorization
Summary
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T20:29:10.346345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T20:29:18.521Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.8"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:52:21.166Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33"
}
],
"source": {
"advisory": "GHSA-q4g8-82c5-9h33",
"discovery": "UNKNOWN"
},
"title": "Mastodon has a denial of service for quote authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33869",
"datePublished": "2026-03-27T19:52:21.166Z",
"dateReserved": "2026-03-24T15:10:05.678Z",
"dateUpdated": "2026-03-27T20:29:18.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27477 (GCVE-0-2026-27477)
Vulnerability from nvd – Published: 2026-02-24 19:00 – Updated: 2026-02-26 19:29
VLAI
Title
Mastodon has SSRF via unvalidated FASP Provider base_url
Summary
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/commit/7b85d… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T19:10:24.251802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T19:29:12.052Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.14"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental \"fasp\" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T19:00:20.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm"
},
{
"name": "https://github.com/mastodon/mastodon/commit/7b85d2182361e68d51d9a02f94fb1070b5f503b1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/7b85d2182361e68d51d9a02f94fb1070b5f503b1"
}
],
"source": {
"advisory": "GHSA-46w6-g98f-wxqm",
"discovery": "UNKNOWN"
},
"title": "Mastodon has SSRF via unvalidated FASP Provider base_url"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27477",
"datePublished": "2026-02-24T19:00:20.590Z",
"dateReserved": "2026-02-19T19:46:03.539Z",
"dateUpdated": "2026-02-26T19:29:12.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27468 (GCVE-0-2026-27468)
Vulnerability from nvd – Published: 2026-02-24 17:12 – Updated: 2026-02-27 20:50
VLAI
Title
Mastodon may allow unconfirmed FASP to make subscriptions
Summary
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not check properly whether the FASP was actually approved. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can make subscriptions and request content backfill without approval by an administrator. Done once, this leads to minor information leak of URIs that are publicly available anyway. But done several times this is a serious vector for DOS, putting pressure on the sidekiq worker responsible for the `fasp` queue. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/commit/6ba62… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27468",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T20:50:45.668446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:50:52.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.14"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not check properly whether the FASP was actually approved. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can make subscriptions and request content backfill without approval by an administrator. Done once, this leads to minor information leak of URIs that are publicly available anyway. But done several times this is a serious vector for DOS, putting pressure on the sidekiq worker responsible for the `fasp` queue. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental \"fasp\" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T17:12:40.349Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-qgmm-vr4c-ggjg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-qgmm-vr4c-ggjg"
},
{
"name": "https://github.com/mastodon/mastodon/commit/6ba6285a73c3a8b281123814d45f534e3bcebb96",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/6ba6285a73c3a8b281123814d45f534e3bcebb96"
}
],
"source": {
"advisory": "GHSA-qgmm-vr4c-ggjg",
"discovery": "UNKNOWN"
},
"title": "Mastodon may allow unconfirmed FASP to make subscriptions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27468",
"datePublished": "2026-02-24T17:12:40.349Z",
"dateReserved": "2026-02-19T17:25:31.101Z",
"dateUpdated": "2026-02-27T20:50:52.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25540 (GCVE-0-2026-25540)
Vulnerability from nvd – Published: 2026-02-04 21:42 – Updated: 2026-02-05 18:30
VLAI
Title
Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-524 - Use of Cache Containing Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25540",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T18:30:03.654017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T18:30:11.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.19"
},
{
"status": "affected",
"version": "\u003c 4.4.13"
},
{
"status": "affected",
"version": "\u003c 4.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:42:09.460Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr"
}
],
"source": {
"advisory": "GHSA-ccpr-m53r-mfwr",
"discovery": "UNKNOWN"
},
"title": "Mastodon\u0027s signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25540",
"datePublished": "2026-02-04T21:42:09.460Z",
"dateReserved": "2026-02-02T19:59:47.375Z",
"dateUpdated": "2026-02-05T18:30:11.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23964 (GCVE-0-2026-23964)
Vulnerability from nvd – Published: 2026-01-22 01:55 – Updated: 2026-01-22 17:02
VLAI
Title
Mastodon has insufficient access control to push notification settings
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T16:55:30.907556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T17:02:23.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.18"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.12"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user\u0027s push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T01:55:29.904Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5"
}
],
"source": {
"advisory": "GHSA-f3q8-7vw3-69v4",
"discovery": "UNKNOWN"
},
"title": "Mastodon has insufficient access control to push notification settings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23964",
"datePublished": "2026-01-22T01:55:29.904Z",
"dateReserved": "2026-01-19T14:49:06.313Z",
"dateUpdated": "2026-01-22T17:02:23.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23963 (GCVE-0-2026-23963)
Vulnerability from nvd – Published: 2026-01-22 01:53 – Updated: 2026-01-22 17:32
VLAI
Title
Mastodon missing length limits on list names, filter names, and filter keywords
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T17:30:37.333794Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T17:32:13.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.18"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.12"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T01:53:49.887Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5"
}
],
"source": {
"advisory": "GHSA-6x3w-9g92-gvf3",
"discovery": "UNKNOWN"
},
"title": "Mastodon missing length limits on list names, filter names, and filter keywords"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23963",
"datePublished": "2026-01-22T01:53:49.887Z",
"dateReserved": "2026-01-19T14:49:06.313Z",
"dateUpdated": "2026-01-22T17:32:13.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23962 (GCVE-0-2026-23962)
Vulnerability from nvd – Published: 2026-01-22 01:51 – Updated: 2026-01-22 21:35
VLAI
Title
Mastodon vulnerable to Denial of Service from a single post (client/server)
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T21:34:54.544661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T21:35:41.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.18"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.12"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T01:51:37.430Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5"
}
],
"source": {
"advisory": "GHSA-gg8q-rcg7-p79g",
"discovery": "UNKNOWN"
},
"title": "Mastodon vulnerable to Denial of Service from a single post (client/server)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23962",
"datePublished": "2026-01-22T01:51:37.430Z",
"dateReserved": "2026-01-19T14:49:06.313Z",
"dateUpdated": "2026-01-22T21:35:41.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23961 (GCVE-0-2026-23961)
Vulnerability from nvd – Published: 2026-01-22 01:47 – Updated: 2026-01-22 21:38
VLAI
Title
Mastodon may allow a remote suspension bypass
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/releases/tag… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T21:38:41.339884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T21:38:52.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.18"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.12"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T01:47:36.828Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5"
}
],
"source": {
"advisory": "GHSA-5h2f-wg8j-xqwp",
"discovery": "UNKNOWN"
},
"title": "Mastodon may allow a remote suspension bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23961",
"datePublished": "2026-01-22T01:47:36.828Z",
"dateReserved": "2026-01-19T14:49:06.313Z",
"dateUpdated": "2026-01-22T21:38:52.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22246 (GCVE-0-2026-22246)
Vulnerability from nvd – Published: 2026-01-08 15:27 – Updated: 2026-01-08 15:54
VLAI
Title
Local Mastodon users can enumerate and access severed relationships of every other local user
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/commit/68e30… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/commit/b2bcd… | x_refsource_MISC |
| https://github.com/mastodon/mastodon/commit/c1fb6… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T15:51:57.907032Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T15:54:24.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.17"
},
{
"status": "affected",
"version": "\u003e= 4.4.0-beta.1, \u003c 4.4.11"
},
{
"status": "affected",
"version": "\u003e= 4.5.0-beta.1, \u003c 4.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T15:27:21.490Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24"
},
{
"name": "https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076"
},
{
"name": "https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf"
},
{
"name": "https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57"
}
],
"source": {
"advisory": "GHSA-ww85-x9cp-5v24",
"discovery": "UNKNOWN"
},
"title": "Local Mastodon users can enumerate and access severed relationships of every other local user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22246",
"datePublished": "2026-01-08T15:27:21.490Z",
"dateReserved": "2026-01-07T05:19:12.921Z",
"dateUpdated": "2026-01-08T15:54:24.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}