Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-accessible federated protocol, no auth on victim instance, integrity-only impact limited to attribution metadata, no confidentiality or availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon’s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18.
AnalysisAI
Signature bypass in Mastodon's ActivityPub federation layer allows remote unauthenticated attackers to falsely attribute article authorship by manipulating the toot:attributionDomains property of signed Update activities. Affected are all Mastodon instances running versions 4.3.0 through 4.5.10 or 4.4.x through 4.4.17, where a JSON-LD definition error renders Linked Data Signatures on this specific property non-binding. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to relay or inject ActivityPub Update activities to a target Mastodon instance, which is possible for any operator of a federated ActivityPub-compatible server or for a network-adjacent actor with the ability to intercept inter-server federation traffic. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N accurately characterizes the attack surface: fully remote, no authentication, low complexity, but limited to a low-integrity impact confined to author attribution data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operating a malicious or compromised federated server intercepts a legitimately signed Update activity from a trusted Mastodon instance that includes a valid `attributionDomains` value crediting a reputable news domain. The attacker replaces the domain value with an arbitrary target domain and forwards the modified activity to victim Mastodon instances; because the JSON-LD definition error excludes this property from LDS computation, the signature validates successfully and the false attribution is accepted. … |
| Remediation | Upgrade to Mastodon 4.5.11 (for the 4.5.x branch) or 4.4.18 (for the 4.4.x branch) - these are the vendor-confirmed fixed releases per the GitHub advisory GHSA-rwcw-vq68-g34p at https://github.com/mastodon/mastodon/security/advisories/GHSA-rwcw-vq68-g34p. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c
Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing
Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls autho
Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto
Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39059