CVE-2026-50128
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon’s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mastodon | mastodon | >= 4.5.0-beta.1, < 4.5.11 | affected |
| mastodon | mastodon | >= 4.3.0, < 4.4.18 | affected |
Weaknesses
- CWE-354: CWE-354: Improper Validation of Integrity Check Value
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.