CVE-2026-50128 - Vulnerability Details

Description

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon’s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18.

Published: 2026-06-24

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in Mastodon's handling of the attributionDomains JSON‑LD term used to credit authors in linked data signatures. An error in this definition causes the signature verification on the toot:attributionDomains property to fail, allowing an attacker to modify the attributionDomains value of a legitimately signed Update activity. As a result, malicious actors can forge author attribution, causing content to be misattributed to any domain they choose. This attack undermines authenticity and can be used for misinformation or impersonation of legitimate authors.

Affected Systems

The issue affects all Mastodon server releases from version 4.3.0 through the unreleased patch up to version 4.5.10 and all older releases prior to the fixed revisions 4.5.11 and 4.4.18. The vulnerability is resolved in the 4.5.11 and 4.4.18 releases.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the moderate severity range. The EPSS score is not available, and it is not listed in the CISA KEV catalog. An attacker would need to craft a signed Update activity – likely through the official API or a custom client – and supply a false attributionDomains value. The attack can be carried out remotely by an authenticated user with the ability to publish updates, and the impact is limited to the misattribution of content rather than arbitrary code execution or system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mastodon

affected

Version	Status	Constraints
`>= 4.5.0-beta.1, < 4.5.11`	affected	—
`>= 4.3.0, < 4.4.18`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Mastodon instance to version 4.5.11 or later, or to 4.4.18 if using that branch, to apply the fix that restores proper signature verification.
Ensure that all clients and integrations use the latest Mastodon library that honors the updated attributionDomains validation logic, and configure them to reject any signed Update activities with altered domains.
Monitor the activity logs for unexpected changes to attribution information, and regularly review server configuration to confirm that only trusted domains are accepted in author attribution schemes.

Generated by OpenCVE AI on June 24, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/mastodon/mastodon/security/advisories/GHSA-rwcw-vq68-g34p

History

Wed, 24 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon’s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18.
Title		Mastodon: Spoofing of attribution domains
Weaknesses		CWE-354
References		https://github.com/mastodon/mastodon/security/advisories/GHSA-rwcw-vq68-g34p
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-24T19:48:52.942Z

Updated: 2026-06-24T19:48:52.942Z

Reserved: 2026-06-03T18:49:32.275Z

Link: CVE-2026-50128

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T21:45:15Z

Weaknesses

CWE-354
Improper Validation of Integrity Check Value

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object