Description
Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check that allows an attacker to forge a FeatureAuthorization object used to confirm an account’s consent to be featured in a remote Collection. The flaw arises from an omitted condition when verifying whether the remote account has consented, enabling attackers to fake consent. By manipulating this object, an attacker can make an account appear as if it has granted consent when it has not, leading to unauthorized inclusion in Collections. The FeatureAuthorization, which must reside on the same domain as the object it authorizes, is checked inconsistently, and the actual object referenced does not match the one in the Collection item. This missing validation results in an authorization bypass (CWE‑345) and mismatched object verification (CWE‑863).

Affected Systems

Mastodon servers that run the main development branch or nightly builds and have the experimental Collections feature enabled through the EXPERIMENTAL_FEATURES environment variable are affected. Versions earlier than 4.6.0‑beta.1 contain the flaw; upgrading to 4.6.0‑beta.1 or newer removes the missing check. The vulnerability does not exist in releases that do not enable the experimental Collections feature.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate‑to‑high severity. An EPSS score of less than 1 percent suggests the likelihood of current exploitation is low, and the vulnerability is not listed in CISA KEV. The likely attack vector is remote, via JSON data sent to an API endpoint that processes FeatureAuthorization objects. Fulfilling the missing validation allows the attacker to forge the authorization object, so no special privileges or authentication beyond normal API usage are required. Consequently, the flaw can be widely exploited if the Collections feature is enabled.

Generated by OpenCVE AI on June 18, 2026 at 03:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Mastodon 4.6.0‑beta.1 or later.
  • If an upgrade cannot be performed immediately, disable the experimental Collections feature by removing or adjusting the EXPERIMENTAL_FEATURES environment variable so that "collections" is not enabled.
  • Restart the Mastodon services so that the new configuration and patch are fully in effect.

Generated by OpenCVE AI on June 18, 2026 at 03:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.
Title Mastodon has a consent-check bypass in its remote Collections
Weaknesses CWE-345
CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-15T18:51:29.498Z

Reserved: 2026-05-19T22:36:16.883Z

Link: CVE-2026-47777

cve-icon Vulnrichment

Updated: 2026-06-15T18:51:25.902Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T18:16:35.287

Modified: 2026-06-16T15:51:29.037

Link: CVE-2026-47777

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:45:05Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity

  • CWE-863

    Incorrect Authorization