Description
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not check properly whether the FASP was actually approved. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can make subscriptions and request content backfill without approval by an administrator. Done once, this leads to minor information leak of URIs that are publicly available anyway. But done several times this is a serious vector for DOS, putting pressure on the sidekiq worker responsible for the `fasp` queue. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.
Published: 2026-02-24
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure & Denial of Service
Action: Patch Update
AI Analysis

Impact

Mastodon versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6 allow unapproved freeloading active subscriptions proposals (FASP) to register and request content backfill. The failure to verify that the FASP account is fully approved leads to small but public URI leaks, and repeated calls can overload the sidekiq worker that handles the fasp queue, causing a denial of service. This weakness falls under improper authorization.

Affected Systems

The affected software is Mastodon, specifically the release series 4.4.x up to 4.4.13 and 4.5.x up to 4.5.6. Only servers that have enabled the experimental FASP feature via the environment variable EXPERIMENTAL_FEATURES that includes fasp are impacted; servers that do not enable this flag are not at risk.

Risk and Exploitability

The CVSS score is 4.8, EPSS is less than 1%, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalogue. The attack vector is likely remote, as an attacker can trigger the vulnerable endpoints without local access. Because the flaw permits repeated subscription creation and content backfill without authorization, exploitation could lead to minor information disclosure and, with enough repeated requests, denial of service against the sidekiq stack. Admins using the experimental fasp flag should prioritize the patch or mitigation to reduce risk.

Generated by OpenCVE AI on April 16, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Patch the platform to the latest supported release (4.4.14 or 4.5.7) that contains the fix.
  • Disable the experimental FASP feature if not required by removing ' fasp' from the EXPERIMENTAL_FEATURES environment variable or uninstalling the feature.
  • Monitor the sidekiq fasp queue for abnormal load patterns and consider limiting backfill requests or rate‑controlling the queue to prevent a denial of service attack.

Generated by OpenCVE AI on April 16, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Tue, 24 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not check properly whether the FASP was actually approved. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can make subscriptions and request content backfill without approval by an administrator. Done once, this leads to minor information leak of URIs that are publicly available anyway. But done several times this is a serious vector for DOS, putting pressure on the sidekiq worker responsible for the `fasp` queue. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.
Title Mastodon may allow unconfirmed FASP to make subscriptions
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:50:52.856Z

Reserved: 2026-02-19T17:25:31.101Z

Link: CVE-2026-27468

cve-icon Vulnrichment

Updated: 2026-02-27T20:50:49.804Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T18:29:33.660

Modified: 2026-02-26T15:36:00.510

Link: CVE-2026-27468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses