SB2026042388 - Multiple vulnerabilities in Mastodon
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-27468)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.
The vulnerability exists due to improper access control in the FASP subscription and content backfill approval checks when handling subscription and backfill requests from unconfirmed FASP registrations. A remote attacker can make subscriptions and request content backfill without administrator approval to cause a denial of service and disclose sensitive information.
Only instances with the experimental FASP feature enabled through the EXPERIMENTAL_FEATURES setting including fasp are vulnerable.
2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-27477)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause the server to make requests to internal systems.
The vulnerability exists due to server-side request forgery in the FASP provider base_url handling when registering a FASP with an attacker-controlled base_url that includes or resolves to a local or internal address. A remote attacker can register a crafted FASP to cause the server to make requests to internal systems.
Only instances with the experimental fasp feature enabled via the EXPERIMENTAL_FEATURES setting are vulnerable. The attacker can control only the URL prefix and cannot see the response.
Remediation
Install update from vendor's website.