Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.
Published: 2026-03-27
Score: 4.3 Medium
EPSS: 1.1% Low
KEV: No
Impact: Phishing and credential theft through open redirect
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a GET-based open redirect in Mastodon’s /web/* route. The application fails to normalize URL-encoded slashes, enabling an attacker to craft a URL that redirects a visitor to any external domain. This can be used to host phishing pages or force users to grant OAuth permissions to a malicious site.

Affected Systems

The issue exists in all Mastodon releases earlier than 4.5.8, 4.4.15, and 4.3.21. Unauthenticated attackers can target any instance running those older versions.

Risk and Exploitability

The CVSS base score of 4.3 reflects moderate severity, and the EPSS score below 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attack requires only a simple HTTP GET request and no credentials, so it can be triggered by anyone with internet access.

Generated by OpenCVE AI on March 30, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mastodon to a patched version (4.5.8 or later, 4.4.15 or later, or 4.3.21 or later).

Generated by OpenCVE AI on March 30, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.
Title Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:54:24.919Z

Reserved: 2026-03-24T15:10:05.678Z

Link: CVE-2026-33868

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:45.631Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:34.333

Modified: 2026-03-30T19:14:17.297

Link: CVE-2026-33868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:46Z

Weaknesses