Description
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4.
Published: 2026-01-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows a registered local user to retrieve the list of users that were lost followers or followed as a result of any severance event. Although the account name that lost follows or followers is not disclosed, the attack reveals the scope of the moderation action, leaking sensitive user relationship data. The flaw is a failure to enforce proper ownership checks on the severed relationship download API, corresponding to CWE-201 (Access Control Failure).

Affected Systems

Mastodon servers running the free, open‑source social network software, specifically versions 4.3 through 4.3.16, 4.4.0–4.4.10, and 4.5.0–4.5.3 are affected. The issue is resolved in Mastodon v4.3.17, v4.4.11, and v4.5.4. Any registered local user on a vulnerable instance can exploit the flaw.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. EPSS is below 1%, showing a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only local access to the server’s API and does not rely on remote code execution or elevated privileges, making it relatively straightforward for an authenticated user to enumerate severance events.

Generated by OpenCVE AI on April 18, 2026 at 16:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mastodon to v4.3.17 or newer (v4.4.11, v4.5.4).
  • If an immediate upgrade is not feasible, temporarily disable the severed relationship notifications feature or block API access to the severance event endpoint through configuration settings.
  • Conduct an audit of API activity logs for unusual enumeration of severed relationships and restrict local user permissions to the severed relationship API endpoint.

Generated by OpenCVE AI on April 18, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4.
Title Local Mastodon users can enumerate and access severed relationships of every other local user
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T15:54:24.770Z

Reserved: 2026-01-07T05:19:12.921Z

Link: CVE-2026-22246

cve-icon Vulnrichment

Updated: 2026-01-08T15:52:01.399Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T16:16:02.957

Modified: 2026-01-22T13:52:28.883

Link: CVE-2026-22246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses