Skip to main content

Mastodon CVE-2026-46348

| EUVDEUVD-2026-39053 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-24 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Network-reachable SSRF with low complexity and no auth/UI; scope changes to backend loopback services with limited read/write of internal resources, so S:C and C:L/I:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 21:02 EUVD
Analysis Generated
Jun 24, 2026 - 20:22 vuln.today

DescriptionCVE.org

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make Mastodon perform HTTP requests against loopback interfaces, potentially allowing access to otherwise private resources and services. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

AnalysisAI

Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing HTTP requests to loopback interfaces, reaching private resources and internal services that should be unreachable from the public internet. The flaw stems from an incomplete IP-range blocklist that omitted a range capable of resolving to local addresses. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Mastodon fetch endpoint
Delivery
Craft URL in unfiltered IP range
Exploit
Submit/federate content with URL
Execution
Server fetches loopback target
Persist
Reach internal localhost services
Impact
Access private resources or trigger requests

Vulnerability AssessmentAI

Exploitation Exploitation requires Mastodon to be induced to fetch an attacker-controlled URL - i.e., it depends on Mastodon's outbound HTTP fetch behavior (link-preview/oEmbed generation, remote media retrieval, or ActivityPub actor/object resolution) being reachable by the attacker, and on the target host actually running services on its loopback interface that are worth reaching. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:N/VI:H/VA:N, score 8.7 High) indicates a remotely reachable, low-complexity issue with no privileges or user interaction and a high integrity impact, while curiously rating confidentiality as none - a notable inconsistency given that SSRF to loopback is typically used to READ private resources, suggesting the VI:H/VC:N split may reflect the ability to drive state-changing requests against internal services rather than pure data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits or federates content containing a crafted URL whose host resolves to an address in the previously-unfiltered range; when Mastodon fetches it for a link preview, media, or actor resolution, the request lands on the server's loopback interface. The attacker thereby probes or interacts with internal-only services (admin endpoints, caches, metadata services) that are firewalled off from the public internet. …
Remediation Upgrade to a fixed release on your branch: Vendor-released patch 4.5.10, 4.4.17, or 4.3.23 - apply whichever matches your deployed major version (per GHSA-crr4-7rm4-8gpw at https://github.com/mastodon/mastodon/security/advisories/GHSA-crr4-7rm4-8gpw). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Mastodon instances in your infrastructure and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-46405 HIGH POC
7.5 Dec 04

Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts

CVE-2024-25618 HIGH POC
7.4 Feb 14

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2023-36460 CRITICAL
9.9 Jul 06

Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul

CVE-2024-23832 CRITICAL
9.8 Feb 01

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2022-2166 CRITICAL
9.8 Nov 16

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c

CVE-2026-47389 HIGH
8.6 Jun 24

Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls autho

CVE-2026-27468 HIGH
8.2 Feb 24

Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t

CVE-2026-41259 HIGH
8.2 Apr 23

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto

CVE-2024-37903 HIGH
8.2 Jul 05

Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot

CVE-2024-25623 HIGH
7.7 Feb 19

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera

CVE-2026-50129 HIGH
7.5 Jun 24

Denial of service in Mastodon affects all self-hosted instances prior to 4.5.11, 4.4.18, and 4.3.24, where the math cont

Share

CVE-2026-46348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy