SB2026042382 - Multiple vulnerabilities in Mastodon
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: CVE-2025-62176)
CWE-ID: CWE-280 - Improper Handling of Insufficient Permissions or Privileges
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper handling of insufficient permissions or privileges in the streaming server when handling subscriptions to public timeline channels using a valid authentication token without the read:statuses scope. A remote user can use such a token to disclose sensitive information.
This only affects newly published public posts on public timelines and may result in unexpected access to public posts in limited-federation deployments.
2) Insufficient Session Expiration (CVE-ID: CVE-2025-62174)
CWE-ID: CWE-613 - Insufficient Session Expiration
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to continue using compromised sessions and access tokens to disclose sensitive information.
The vulnerability exists due to insufficient session expiration in session and access token handling when an administrator resets an account password via the CLI. A remote user can reuse previously issued sessions or access tokens to disclose sensitive information.
User interaction is required because an administrator must perform the password reset action.
3) Improper Handling of Insufficient Privileges (CVE-ID: CVE-2025-62175)
CWE-ID: CWE-274 - Improper Handling of Insufficient Privileges
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper handling of insufficient privileges in the streaming API when processing streaming API connections for disabled or suspended accounts. A remote user can reconnect to the streaming API after the account has been disabled or suspended to disclose sensitive information.
Disabled or suspended accounts may remain connected and continue receiving messages through the streaming API even though they cannot interact with other APIs.
Remediation
Install update from vendor's website.