Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Published: 2026-06-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mastodon lacked sufficient protection for Linked-Data signatures in activities, allowing a threat actor to delete JSON entries from a validly signed activity of a third‑party actor. The vulnerability is a signature integrity flaw (CWE‑354) that compromises data authenticity. An attacker could therefore inject or modify activity payloads that appear legitimate, potentially broadcasting false information or influencing follower actions.

Affected Systems

The issue affects Mastodon servers running any of the following pre‑patch versions: 4.5.x prior to 10, 4.4.x prior to 17, and 4.3.x prior to 23. All instances of the Mastodon application noted in the CNA product list (mastodon:mastodon) are susceptible if they have not applied the corresponding security update.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an adversary submitting a forged signed activity to an exposed Mastodon endpoint; the instance will process the activity as if it were from a legitimate actor, thereby enabling spoofed broadcasts. Exploitation requires the ability to send HTTP POST requests to the instance’s activity handling endpoint and knowledge of the target actor’s identity.

Generated by OpenCVE AI on June 24, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official security update to one of the supported versions: 4.5.10, 4.4.17, or 4.3.23.
  • Restart all Mastodon services (web, streaming, sidekiq, etc.) to ensure the updated code is loaded.
  • If you use custom federation plugins or scripts that bypass signature checks, update them to enforce strict Linked-Data Signature verification or remove them until they are audited for compliance.

Generated by OpenCVE AI on June 24, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Wed, 24 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Title Mastodon: Removal of integrity-protected JSON entries from signed activities
Weaknesses CWE-354
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:26:34.764Z

Reserved: 2026-05-20T17:44:09.587Z

Link: CVE-2026-48028

cve-icon Vulnrichment

Updated: 2026-06-25T13:26:30.447Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-354

    Improper Validation of Integrity Check Value