Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6.
Published: 2026-02-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Web cache poisoning that can lead to disclosure or misdelivery of ActivityPub content
Action: Apply Patch
AI Analysis

Impact

Mastodon prior to versions 4.3.19, 4.4.13, and 4.5.6 stored content retrieved from the ActivityPub endpoints for pinned posts and featured hashtags in an internal cache that ignores the signature of the requesting actor. If an actor is blocked, the cached response may be an empty or incomplete payload; if an actor is authorized, the cached response may contain content intended for other actors. The vulnerability allows legitimate users to receive incorrect or potentially sensitive data, undermining the integrity of the content served and exposing the platform to information leakage.

Affected Systems

Mastodon, the open‑source social network server based on ActivityPub. All releases before 4.3.19, 4.4.13, and 4.5.6 are affected. The vulnerability manifests when the AUTHORIZED_FETCH setting is enabled and the Rails cache is used for ActivityPub collection responses.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate impact, while the EPSS score of less than 1% indicates a low probability of ongoing exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the issue by making requests to the pinned posts or featured hashtags endpoints while signed as an actor whose cache key is shared across different actors. If the attacker controls a blocked actor account, they may receive empty responses, and if they control a non‑blocked actor, they may obtain content meant for other actors. The attack requires authentication to sign requests but can be performed either by a legitimate user or a compromised account. Because the cache persists across requests, the exploit can affect many users until the cache is purged or the application is updated.

Generated by OpenCVE AI on April 18, 2026 at 13:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mastodon to version 4.3.19, 4.4.13, 4.5.6 or later to apply the cache‑key fix.
  • Verify that the AUTHORIZED_FETCH configuration is correctly set and use it only if necessary.
  • After upgrading, clear existing Rails.cache entries to ensure no poisoned content remains in the cache.

Generated by OpenCVE AI on April 18, 2026 at 13:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*

Thu, 05 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Wed, 04 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6.
Title Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)
Weaknesses CWE-524
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T18:30:11.981Z

Reserved: 2026-02-02T19:59:47.375Z

Link: CVE-2026-25540

cve-icon Vulnrichment

Updated: 2026-02-05T18:30:08.257Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:16:00.233

Modified: 2026-02-20T21:02:56.213

Link: CVE-2026-25540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses