Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.
AnalysisAI
Mastodon versions 4.5.x before 4.5.8 and 4.4.x before 4.4.15 allow unauthenticated attackers with prior knowledge of a quote to prevent its correct processing on a target server, resulting in limited integrity and availability impact. The vulnerability exploits timing and knowledge of ActivityPub quote structures to disrupt social content distribution. Patches are available in Mastodon 4.5.8 and 4.4.15; versions 4.3 and earlier are unaffected due to lack of quote support.
Technical ContextAI
Mastodon implements the ActivityPub protocol for federated social networking, including support for quote posts (shared in versions 4.4 and later). The vulnerability resides in how Mastodon processes incoming quote objects when they arrive at a server. An attacker with advance knowledge of a quote's structure can craft or time attacks to interfere with server-side validation or processing logic, exploiting insufficient authorization checks or race conditions in quote handling. CWE-863 (Incorrect Authorization) indicates the root cause involves improper permission or validation checks when processing remote ActivityPub quote objects, allowing an unauthenticated attacker to influence quote processing without proper authorization.
RemediationAI
Upgrade Mastodon to version 4.5.8 or later (4.5.x branch) or version 4.4.15 or later (4.4.x branch). No workarounds are documented for earlier versions. Administrators should consult the official Mastodon security advisory at https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33 for deployment guidance and any additional mitigation steps specific to their instance configuration.
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c
Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing
Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls autho
Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto
Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16785