SB2026042385 - Multiple vulnerabilities in Mastodon
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-22245)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to access otherwise private resources and services.
The vulnerability exists due to improper access control in SSRF protection when processing user-provided domains. A remote attacker can supply an IP address in a disallowed-but-unblocked range to access otherwise private resources and services.
The issue can cause outbound HTTP requests to loopback or local network hosts.
2) Improper access control (CVE-ID: CVE-2026-22246)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the severed relationships download functionality when handling requests for a particular severance event. A remote user can request lists of lost followers and followed users for other users' severance events to disclose sensitive information.
The leaked information does not include the name of the account which has lost follows and followers.
Remediation
Install update from vendor's website.