Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Published: 2026-01-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via resource exhaustion
Action: Update
AI Analysis

Impact

Mastodon server versions before 4.5.5, 4.4.12, and 4.3.18 lack maximum length enforcement for list names, filter names, and filter keywords. A local user can therefore create entries with arbitrarily long strings, which forces the server to allocate extra storage and requires extra processing time. This can degrade the performance and usability of the web interface, potentially making it unusable for that user. No external attack vector is required; the flaw can be exercised by anyone who has access to the server's local user interface or API.

Affected Systems

The vulnerability affects Mastodon servers running the open‑source social network platform. Any installation using versions older than 4.5.5, 4.4.12, or 4.3.18 is impacted. Updating to v4.5.5, v4.4.12, or v4.3.18 patches the flaw.

Risk and Exploitability

The CVSS v3 score is 4.3, indicating moderate severity, and the EPSS score is below 1%, implying that the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local user privileges and can be carried out without additional network exposure. Because the impact is limited to resource exhaustion on the affected server, the threat remains largely contained to the individual user's account or to infrastructure suffering from a sudden spike in storage or CPU usage.

Generated by OpenCVE AI on April 18, 2026 at 03:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mastodon instance to version 4.5.5 or later (or to 4.4.12 / 4.3.18 if those upgrades are not possible).
  • If an upgrade cannot be performed immediately, disable or restrict the creation of lists and filters for local users through configuration or by using administrative controls to prevent the use of excessively long names.
  • Monitor server storage and CPU usage for unusual growth patterns, and investigate any large filter or list entries that appear after the update.

Generated by OpenCVE AI on April 18, 2026 at 03:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Title Mastodon missing length limits on list names, filter names, and filter keywords
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T17:32:13.067Z

Reserved: 2026-01-19T14:49:06.313Z

Link: CVE-2026-23963

cve-icon Vulnrichment

Updated: 2026-01-22T17:32:05.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T03:15:46.550

Modified: 2026-02-02T20:27:15.387

Link: CVE-2026-23963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses