Main Vulnerability Database Vulnerabilities #VU126989

Improper access control in Mastodon - CVE-2026-22246

Published: April 23, 2026

Vulnerability identifier: #VU126989

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-22246

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Mastodon

Affected software:
Mastodon

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the severed relationships download functionality when handling requests for a particular severance event. A remote user can request lists of lost followers and followed users for other users' severance events to disclose sensitive information.

The leaked information does not include the name of the account which has lost follows and followers.

How to mitigate CVE-2026-22246

Install security update from vendor's website.

Sources

https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24

Improper access control in Mastodon - CVE-2026-22246

Detailed vulnerability description

How to mitigate CVE-2026-22246

Sources

Please verify you're human