Skip to main content

Mastodon EUVDEUVD-2026-39055

| CVE-2026-47389 HIGH
Incomplete List of Disallowed Inputs (CWE-184)
2026-06-24 GitHub_M
8.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
8.6 HIGH

Unauthenticated network-triggered outbound fetch (PR:N/UI:N/AV:N/AC:L) crosses a trust boundary to internal services (S:C) exposing data (C:H); no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 21:02 EUVD
Analysis Generated
Jun 24, 2026 - 20:20 vuln.today

DescriptionCVE.org

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

AnalysisAI

Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls authoritative DNS for a hostname bypass Mastodon's private-network filter and force the server to connect to internal IPv4 endpoints. The flaw stems from PrivateAddressCheck.private_address? …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register attacker-controlled domain
Delivery
Publish AAAA record ::ffff:169.254.169.254
Exploit
Submit hostname URL to Mastodon
Execution
Server fetch bypasses private-address check
Persist
TCP connection to internal IPv4 endpoint
Impact
Exfiltrate metadata/credentials or internal data

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the target Mastodon instance to be running on a Ruby interpreter older than 3.4 - instances on Ruby 3.4+ are not affected; (2) the attacker to control authoritative DNS for a hostname and publish an AAAA record encoding an IPv4-mapped IPv6 address (::ffff:a.b.c.d) such as ::ffff:127.0.0.1 or ::ffff:169.254.169.254; and (3) a code path that causes Mastodon to perform an outbound HTTP fetch against that hostname (link preview, remote actor/object resolution, media or webfinger lookup). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, 8.6) indicates network-reachable, low-complexity, unauthenticated exploitation with a scope change and high confidentiality impact - consistent with classic SSRF reaching a cloud-metadata service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain, points an AAAA record at ::ffff:169.254.169.254, and gets a Mastodon instance to fetch a URL on that hostname (for example by submitting it as a link, remote profile, or object reference so the server generates a preview or resolves it). Because the private-address check passes the mapped address, the server opens a connection to the cloud metadata service and returns or processes the response, potentially leaking IAM credentials or internal service data. …
Remediation Vendor-released patch: upgrade to Mastodon 4.5.10, 4.4.17, or 4.3.23 (whichever matches your branch), per advisory GHSA-xx55-4rrg-8xg6 (https://github.com/mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Mastodon instances and identify versions running before 4.5.10, 4.4.17, or 4.3.23. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-46405 HIGH POC
7.5 Dec 04

Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts

CVE-2024-25618 HIGH POC
7.4 Feb 14

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2023-36460 CRITICAL
9.9 Jul 06

Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul

CVE-2024-23832 CRITICAL
9.8 Feb 01

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2022-2166 CRITICAL
9.8 Nov 16

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c

CVE-2026-46348 HIGH
8.7 Jun 24

Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing

CVE-2026-27468 HIGH
8.2 Feb 24

Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t

CVE-2026-41259 HIGH
8.2 Apr 23

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto

CVE-2024-37903 HIGH
8.2 Jul 05

Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot

CVE-2024-25623 HIGH
7.7 Feb 19

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera

CVE-2026-50129 HIGH
7.5 Jun 24

Denial of service in Mastodon affects all self-hosted instances prior to 4.5.11, 4.4.18, and 4.3.24, where the math cont

Share

EUVD-2026-39055 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy