CVE-2026-48028

Summary

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

Affected Software

VendorProductVersion RangeStatus
mastodonmastodon>= 4.5.0-beta.1, < 4.5.10affected
mastodonmastodon>= 4.4.0-beta.1, < 4.4.17affected
mastodonmastodon< 4.3.23affected

Weaknesses

  • CWE-354: CWE-354: Improper Validation of Integrity Check Value

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References