Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.
Published: 2026-04-23
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Registration
Action: Apply patch
AI Analysis

Impact

Mastodon allows new user registration to be limited by email domain name but performs insufficient validation of the email addresses submitted. The system does not prevent characters that can be interpreted differently by certain mail servers, allowing an attacker to register an account with a deceptively valid address. While the vulnerability does not provide immediate remote code execution, it can enable an attacker to create accounts that bypass domain restrictions, potentially facilitating social engineering, spam, or other malicious activities on the platform.

Affected Systems

The affected product is Mastodon distributed by the mastodon vendor. Versions prior to 4.5.9, 4.4.16, and 4.3.22 are vulnerable. Users running any earlier release of the software are impacted until they update to one of the patched versions.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. The EPSS score of less than 1% suggests that exploitation is currently considered unlikely, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote user initiating a registration request. An attacker could exploit the lack of email validation to create a user account that appears to belong to a whitelisted domain, thereby bypassing administrative controls.

Generated by OpenCVE AI on April 28, 2026 at 14:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mastodon to version 4.5.9, 4.4.16, or 4.3.22 to apply the official fix issued for this issue
  • If an upgrade is not immediately possible, disable or remove domain‑based email restrictions to prevent bypass through malformed addresses
  • Implement your own server‑side email validation that rejects characters that may be interpreted differently by mail servers, in line with best practices for input validation targeting CWE‑841

Generated by OpenCVE AI on April 28, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Thu, 23 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.
Title Mastodon: Insufficient verification of email addresses
Weaknesses CWE-841
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T19:24:15.567Z

Reserved: 2026-04-18T14:01:46.801Z

Link: CVE-2026-41259

cve-icon Vulnrichment

Updated: 2026-04-23T19:24:12.583Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T19:17:30.027

Modified: 2026-04-28T18:50:54.427

Link: CVE-2026-41259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses