Improper access control in Mastodon - CVE-2026-27468
Published: April 23, 2026
Vulnerability identifier: #VU126995
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-27468
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mastodon
Affected software:
Mastodon
Mastodon
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.
The vulnerability exists due to improper access control in the FASP subscription and content backfill approval checks when handling subscription and backfill requests from unconfirmed FASP registrations. A remote attacker can make subscriptions and request content backfill without administrator approval to cause a denial of service and disclose sensitive information.
Only instances with the experimental FASP feature enabled through the EXPERIMENTAL_FEATURES setting including fasp are vulnerable.
How to mitigate CVE-2026-27468
Install security update from vendor's website.