SB2026042382 - Multiple vulnerabilities in Mastodon



SB2026042382 - Multiple vulnerabilities in Mastodon

Published: April 23, 2026

Security Bulletin ID SB2026042382
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: CVE-2025-62176)

CWE-ID: CWE-280 - Improper Handling of Insufficient Permissions or Privileges

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of insufficient permissions or privileges in the streaming server when handling subscriptions to public timeline channels using a valid authentication token without the read:statuses scope. A remote user can use such a token to disclose sensitive information.

This only affects newly published public posts on public timelines and may result in unexpected access to public posts in limited-federation deployments.


2) Insufficient Session Expiration (CVE-ID: CVE-2025-62174)

CWE-ID: CWE-613 - Insufficient Session Expiration

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to continue using compromised sessions and access tokens to disclose sensitive information.

The vulnerability exists due to insufficient session expiration in session and access token handling when an administrator resets an account password via the CLI. A remote user can reuse previously issued sessions or access tokens to disclose sensitive information.

User interaction is required because an administrator must perform the password reset action.


3) Improper Handling of Insufficient Privileges (CVE-ID: CVE-2025-62175)

CWE-ID: CWE-274 - Improper Handling of Insufficient Privileges

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of insufficient privileges in the streaming API when processing streaming API connections for disabled or suspended accounts. A remote user can reconnect to the streaming API after the account has been disabled or suspended to disclose sensitive information.

Disabled or suspended accounts may remain connected and continue receiving messages through the streaming API even though they cannot interact with other APIs.


Remediation

Install update from vendor's website.