Improper access control in Mastodon - #VU126973

 

Improper access control in Mastodon - #VU126973

Published: July 4, 2024 / Updated: April 23, 2026


Vulnerability identifier: #VU126973
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mastodon
Affected software:
Mastodon

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in multiple API endpoints when handling requests with application tokens. A remote attacker can send requests using application tokens to disclose sensitive information.

On affected configurations, unregistered users can access hashtag timelines that should not be publicly accessible, and applications can access the public timeline regardless of their permissions.


Remediation

Install security update from vendor's website.

Sources