SB2026042385 - Multiple vulnerabilities in Mastodon



SB2026042385 - Multiple vulnerabilities in Mastodon

Published: April 23, 2026

Security Bulletin ID SB2026042385
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-22245)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to access otherwise private resources and services.

The vulnerability exists due to improper access control in SSRF protection when processing user-provided domains. A remote attacker can supply an IP address in a disallowed-but-unblocked range to access otherwise private resources and services.

The issue can cause outbound HTTP requests to loopback or local network hosts.


2) Improper access control (CVE-ID: CVE-2026-22246)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the severed relationships download functionality when handling requests for a particular severance event. A remote user can request lists of lost followers and followed users for other users' severance events to disclose sensitive information.

The leaked information does not include the name of the account which has lost follows and followers.


Remediation

Install update from vendor's website.