Skip to main content

Mastodon CVE-2026-48028

| EUVDEUVD-2026-39056 MEDIUM
Improper Validation of Integrity Check Value (CWE-354)
2026-06-24 GitHub_M
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Federation network delivery requires no victim-side auth (AV:N/PR:N/AC:L); impact limited to low integrity spoofing and minor availability disruption; no confidentiality breach.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 21:02 EUVD
Analysis Generated
Jun 24, 2026 - 20:21 vuln.today

DescriptionCVE.org

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

AnalysisAI

Linked-Data Signature normalization in Mastodon allows unauthenticated remote attackers to remove JSON entries from valid signed ActivityPub activities, effectively spoofing or distorting federated content attributed to legitimate third-party actors. All Mastodon instances prior to versions 4.5.10, 4.4.17, and 4.3.23 are affected across all maintained release branches. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Operate or compromise an ActivityPub-federated server
Delivery
Obtain or relay a legitimately signed activity from a trusted third-party actor
Exploit
Strip targeted JSON-LD entries from the signed payload
Execution
Deliver manipulated activity to target Mastodon instance over ActivityPub
Persist
Target normalizes activity and passes LD-Signature verification
Impact
Instance processes spoofed content as authentic

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Mastodon instance has federation enabled and is configured to accept activities from external ActivityPub servers, which is the default configuration for all public Mastodon deployments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 base score of 6.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L accurately characterizes this as a remotely exploitable, low-complexity flaw requiring no authentication and no user interaction, yielding limited integrity and marginal availability impact with no confidentiality breach. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a rogue ActivityPub server intercepts or independently relays a legitimately signed activity from a trusted third-party Mastodon actor, stripping specific JSON-LD entries from the payload before forwarding it to the target instance. The target Mastodon server's normalization process accepts the manipulated activity as cryptographically valid because the LD-Signature check passes despite the removed entries, causing the instance to process spoofed or distorted content - such as altered post bodies or manipulated relationship events - as if originating from the legitimate actor. …
Remediation Vendor-released patches are available: upgrade to Mastodon 4.5.10, 4.4.17, or 4.3.23 depending on the currently deployed release branch, as confirmed by the vendor advisory at https://github.com/mastodon/mastodon/security/advisories/GHSA-53m7-2wrh-q839. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-46405 HIGH POC
7.5 Dec 04

Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts

CVE-2024-25618 HIGH POC
7.4 Feb 14

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2023-36460 CRITICAL
9.9 Jul 06

Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul

CVE-2024-23832 CRITICAL
9.8 Feb 01

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2022-2166 CRITICAL
9.8 Nov 16

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c

CVE-2026-46348 HIGH
8.7 Jun 24

Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing

CVE-2026-47389 HIGH
8.6 Jun 24

Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls autho

CVE-2026-27468 HIGH
8.2 Feb 24

Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t

CVE-2026-41259 HIGH
8.2 Apr 23

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto

CVE-2024-37903 HIGH
8.2 Jul 05

Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot

CVE-2024-25623 HIGH
7.7 Feb 19

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera

Share

CVE-2026-48028 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy