Impact
The vulnerability is a missing authorization check that allows an attacker to forge a FeatureAuthorization object used to confirm an account’s consent to be featured in a remote Collection. The flaw arises from an omitted condition when verifying whether the remote account has consented, enabling attackers to fake consent. By manipulating this object, an attacker can make an account appear as if it has granted consent when it has not, leading to unauthorized inclusion in Collections. The FeatureAuthorization, which must reside on the same domain as the object it authorizes, is checked inconsistently, and the actual object referenced does not match the one in the Collection item. This missing validation results in an authorization bypass (CWE‑345) and mismatched object verification (CWE‑863).
Affected Systems
Mastodon servers that run the main development branch or nightly builds and have the experimental Collections feature enabled through the EXPERIMENTAL_FEATURES environment variable are affected. Versions earlier than 4.6.0‑beta.1 contain the flaw; upgrading to 4.6.0‑beta.1 or newer removes the missing check. The vulnerability does not exist in releases that do not enable the experimental Collections feature.
Risk and Exploitability
The CVSS score of 7.5 indicates moderate‑to‑high severity. An EPSS score of less than 1 percent suggests the likelihood of current exploitation is low, and the vulnerability is not listed in CISA KEV. The likely attack vector is remote, via JSON data sent to an API endpoint that processes FeatureAuthorization objects. Fulfilling the missing validation allows the attacker to forge the authorization object, so no special privileges or authentication beyond normal API usage are required. Consequently, the flaw can be widely exploited if the Collections feature is enabled.
OpenCVE Enrichment