SB2026042388 - Multiple vulnerabilities in Mastodon



SB2026042388 - Multiple vulnerabilities in Mastodon

Published: April 23, 2026

Security Bulletin ID SB2026042388
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-27468)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.

The vulnerability exists due to improper access control in the FASP subscription and content backfill approval checks when handling subscription and backfill requests from unconfirmed FASP registrations. A remote attacker can make subscriptions and request content backfill without administrator approval to cause a denial of service and disclose sensitive information.

Only instances with the experimental FASP feature enabled through the EXPERIMENTAL_FEATURES setting including fasp are vulnerable.


2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-27477)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause the server to make requests to internal systems.

The vulnerability exists due to server-side request forgery in the FASP provider base_url handling when registering a FASP with an attacker-controlled base_url that includes or resolves to a local or internal address. A remote attacker can register a crafted FASP to cause the server to make requests to internal systems.

Only instances with the experimental fasp feature enabled via the EXPERIMENTAL_FEATURES setting are vulnerable. The attacker can control only the URL prefix and cannot see the response.


Remediation

Install update from vendor's website.