Description
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.
Published: 2026-02-24
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch Update
AI Analysis

Impact

This vulnerability allows an unauthenticated attacker to register a FASP provider with a base_url that points to an internal or local address. The Mastodon server then makes HTTP(S) requests to that address without validation. The attacker cannot control the full URL or access the response, but the forced requests can trigger vulnerabilities or other unintended behavior on internal systems. The weakness is a server‑side request forgery (CWE‑918).

Affected Systems

The issue affects Mastodon servers running version 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6 that have enabled the experimental FASP feature by setting the EXPERIMENTAL_FEATURES environment variable to include fasp. Servers using the official releases after 4.4.14 or 4.5.7, or those not exercising the fasp feature, are not impacted. The problem exists only for administrators who have approved the FASP registration process.

Risk and Exploitability

With a CVSS score of 4.6 the severity is moderate, and the EPSS score is below 1%, indicating a low likelihood of exploitation in the real world. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit it without authentication, but must have the fasp feature enabled. The lack of response visibility limits the immediate affect, yet internal systems could be coerced into vulnerable actions. The risk is therefore modest but non‑zero for enabled systems.

Generated by OpenCVE AI on April 17, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Mastodon to version 4.4.14 or newer, or version 4.5.7 or newer.
  • If an upgrade cannot be performed immediately, temporarily disable the experimental fasp feature by removing fasp from the EXPERIMENTAL_FEATURES environment variable.
  • Restrict FASP provider registrations to verified administrators and review any pending registrations once the patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Tue, 24 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.
Title Mastodon has SSRF via unvalidated FASP Provider base_url
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T19:29:12.052Z

Reserved: 2026-02-19T19:46:03.539Z

Link: CVE-2026-27477

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T20:27:50.173

Modified: 2026-02-26T21:17:15.260

Link: CVE-2026-27477

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses