Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.
Published: 2026-03-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Open Redirect enabling phishing and credential theft
Action: Immediate Patch
AI Analysis

Impact

Mastodon versions prior to 4.5.8, 4.4.15, and 4.3.21 allow attackers to trigger a server‑side redirect through the /web/* route by including a URL-encoded slash (%2F). This redirect occurs without authentication and directs users to an arbitrary external domain, creating opportunities for phishing attacks or OAuth credential theft. The underlying flaw is improper path normalization, classified as CWE‑601, and can be exploited simply by requesting a crafted GET URL.

Affected Systems

The vulnerability affects Mastodon servers running the Mastodon application. Users of any Mastodon instance that has not updated beyond versions 4.5.8, 4.4.15, or 4.3.21 are at risk.

Risk and Exploitability

The CVSS base score of 4.3 indicates a moderate impact if exploited. No EPSS data is available, so the likelihood of exploitation cannot be quantified from the CVE record. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only that an attacker can send victims a malicious URL that includes an encoded slash, which is trivial to generate and distribute. Because authentication is not required, every user of a vulnerable instance is a potential target.

Generated by OpenCVE AI on March 27, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mastodon to version 4.5.8, 4.4.15, or 4.3.21 or later to apply the official patch.

Generated by OpenCVE AI on March 27, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.
Title Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:50:07.687Z

Reserved: 2026-03-24T15:10:05.678Z

Link: CVE-2026-33868

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T20:16:34.333

Modified: 2026-03-27T20:16:34.333

Link: CVE-2026-33868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:59:29Z

Weaknesses