Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make Mastodon perform HTTP requests against loopback interfaces, potentially allowing access to otherwise private resources and services. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Published: 2026-06-24
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mastodon servers that are older than 4.5.10, 4.4.17, or 4.3.23 contain a missing exclusion of the IPv6 unspecified address (::) from the list of disallowed IP ranges. This omission lets an attacker craft a request that forces Mastodon to resolve the address to the local loopback interface and then perform an HTTP request to that address. Because the request originates from the server, it can reach internal services or resources that are normally inaccessible from the outside, potentially exposing sensitive data or enabling further attacks. The flaw is formally categorized as CWE‑918, reflecting an SSRF vulnerability.

Affected Systems

The affected product is the Mastodon open‑source social network server. Versions prior to 4.5.10, 4.4.17, or 4.3.23 are vulnerable. The problem arises from the server’s IP filtering logic, not from any specific deployment setup, but it affects all installations running those legacy versions.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. EPSS data is currently unavailable and the flaw is not listed in the CISA KEV catalog, so the current exploit probability is unknown. Based on the description, the likely attack vector is that an attacker only needs to send an HTTP request with the IPv6 unspecified address to the vulnerable Mastodon instance, which will then forward the request to the loopback interface. If the target contains internal services or privileged data, the attacker can read or manipulate them. Because the vulnerability allows arbitrary outbound request initiation, the potential impact on confidentiality, integrity, and availability is significant for systems that rely on network isolation.

Generated by OpenCVE AI on June 24, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mastodon to version 4.5.10 if running 4.x series, or to 4.4.17 and 4.3.23 for the 4.4 and 4.3 series respectively, where the disallowed IP range list is corrected.
  • Verify that all outbound HTTP requests from the Mastodon process are filtered against a sandbox or firewall that blocks connections to the loopback interface or private networks, ensuring that even if a misconfiguration occurs, internal services remain unreachable.
  • Apply network segmentation or firewall rules on the host to block outbound traffic from the Mastodon container or service to 127.0.0.0/8 and ::1, adding an extra layer of protection in case the patch is not immediately deployable.

Generated by OpenCVE AI on June 24, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make Mastodon perform HTTP requests against loopback interfaces, potentially allowing access to otherwise private resources and services. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Title Mastodon: SSRF Bypass via IPv6 Unspecified Address (::)
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T19:39:46.332Z

Reserved: 2026-05-13T18:37:30.990Z

Link: CVE-2026-46348

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T22:00:04Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)