Skip to main content

Mastodon EUVDEUVD-2026-36742

| CVE-2026-47777 HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-15 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
5.3 MEDIUM

Remote unauthenticated ActivityPub forgery requires no privileges or interaction, but impact is limited to misrepresenting featured-collection consent state, so I:L rather than I:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 15, 2026 - 19:01 EUVD
Source Code Evidence Fetched
Jun 15, 2026 - 18:22 vuln.today
Analysis Generated
Jun 15, 2026 - 18:22 vuln.today

DescriptionCVE.org

Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.

AnalysisAI

Authorization bypass in Mastodon's experimental Collections feature allows remote attackers to forge FeatureAuthorization objects and falsely list non-consenting accounts in remote Collections. The flaw stems from a missing cross-reference between the featured object's actor URI and the authorization's interactionTarget, letting an attacker assert consent on behalf of another account on the same domain. Patched in 4.6.0-beta.1; no public exploit identified at time of analysis and the issue only manifests when the EXPERIMENTAL_FEATURES env var explicitly enables 'collections'.

Technical ContextAI

Mastodon is a Ruby on Rails ActivityPub-based federated social server. The vulnerable code paths are in app/services/activitypub/process_featured_item_service.rb and verify_featured_item_service.rb, which handle inbound ActivityPub objects describing items featured in a remote actor's Collection. A FeatureAuthorization object is supposed to prove that the referenced account consented to being listed, and the existing check enforced that the authorization and its interactionTarget shared a hostname. However, no check verified that the interactionTarget actor URI matched the featuredObject actor URI of the Collection item itself - so any FeatureAuthorization on the correct domain, even one issued for a different account, would satisfy verification. This is a classic CWE-345 (Insufficient Verification of Data Authenticity) failure in federated trust validation; the patch introduces non_matching_actor_and_approval_uris? and matching_actors? helpers that cross-check the actor URIs.

RemediationAI

Vendor-released patch: 4.6.0-beta.1 - upgrade main-branch or nightly deployments to this version or newer per https://github.com/mastodon/mastodon/security/advisories/GHSA-vg36-gxjg-2v46, which incorporates the upstream fix commit 22203f8aeb03e8f14dc62e253e83db39825a5bcf. If immediate upgrade is not possible, the most direct compensating control is to disable the experimental feature by removing 'collections' from the EXPERIMENTAL_FEATURES environment variable and restarting the Mastodon services; the only side effect is loss of access to the still-experimental Collections functionality, which is not yet a stable feature. Operators running tagged stable releases without EXPERIMENTAL_FEATURES=collections require no action.

CVE-2022-46405 HIGH POC
7.5 Dec 04

Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts

CVE-2024-25618 HIGH POC
7.4 Feb 14

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2023-36460 CRITICAL
9.9 Jul 06

Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul

CVE-2024-23832 CRITICAL
9.8 Feb 01

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2022-2166 CRITICAL
9.8 Nov 16

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c

CVE-2026-46348 HIGH
8.7 Jun 24

Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing

CVE-2026-47389 HIGH
8.6 Jun 24

Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls autho

CVE-2026-27468 HIGH
8.2 Feb 24

Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t

CVE-2026-41259 HIGH
8.2 Apr 23

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto

CVE-2024-37903 HIGH
8.2 Jul 05

Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot

CVE-2024-25623 HIGH
7.7 Feb 19

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera

Share

EUVD-2026-36742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy