Main Vulnerability Database Vulnerabilities #VU126973

#VU126973 Improper access control in Mastodon

Published: July 4, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU126973

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mastodon

Software vendor:
Mastodon

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in multiple API endpoints when handling requests with application tokens. A remote attacker can send requests using application tokens to disclose sensitive information.

On affected configurations, unregistered users can access hashtag timelines that should not be publicly accessible, and applications can access the public timeline regardless of their permissions.

Remediation

Install security update from vendor's website.

External links

https://github.com/mastodon/mastodon/security/advisories/GHSA-58x8-3qxw-6hm7

#VU126973 Improper access control in Mastodon

Description

Remediation

External links

Please verify you're human