Server-Side Request Forgery (SSRF) in Mastodon - CVE-2026-27477
Published: April 23, 2026
Vulnerability identifier: #VU126996
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-27477
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mastodon
Affected software:
Mastodon
Mastodon
Detailed vulnerability description
The vulnerability allows a remote attacker to cause the server to make requests to internal systems.
The vulnerability exists due to server-side request forgery in the FASP provider base_url handling when registering a FASP with an attacker-controlled base_url that includes or resolves to a local or internal address. A remote attacker can register a crafted FASP to cause the server to make requests to internal systems.
Only instances with the experimental fasp feature enabled via the EXPERIMENTAL_FEATURES setting are vulnerable. The attacker can control only the URL prefix and cannot see the response.
How to mitigate CVE-2026-27477
Install security update from vendor's website.