Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to re-arrange a valid signed JSON-LD activity from a third-party actor to have it processed differently. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Published: 2026-06-24
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mastodon normalizes JSON‑LD signed activities to guard against tampering. Before versions 4.5.10, 4.4.17, and 4.3.23 the normalization step did not fully protect against a class of spoofing attacks. An attacker can rearrange a legitimate signed JSON‑LD activity from a trusted actor so that it is interpreted differently by the receiving server. This bypass allows the attacker to impersonate the actor or perform unauthorized actions under the guise of a valid signature.

Affected Systems

The product affected is the Mastodon social‑network server. All instances running a version older than 4.5.10, 4.4.17, or 4.3.23 are vulnerable. Upgrading to any of those releases or a later one removes the flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate overall risk. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation. The flaw operates on inbound signed messages, so attackers would need network access to send crafted ActivityPub traffic. Because the vulnerability is only present in older releases, an immediate patch considerably reduces the possibility of exploitation.

Generated by OpenCVE AI on June 24, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your Mastodon instance to version 4.5.10, 4.4.17, or 4.3.23 or newer, which contain the fix for the JSON‑LD signature normalization flaw.
  • If an immediate upgrade is not possible, block processing of new signed ActivityPub objects from unknown or untrusted origins until the patch is applied.
  • Subscribe to Mastodon security advisories to stay informed of future updates or related issues.

Generated by OpenCVE AI on June 24, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to re-arrange a valid signed JSON-LD activity from a third-party actor to have it processed differently. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Title Mastodon: LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T19:40:35.022Z

Reserved: 2026-05-13T18:37:30.990Z

Link: CVE-2026-46349

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:45:15Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature