WRITEUP

WRITEUP

Exploit for CVE-2026-22246 - Mastodon 4.3 - Info Disclosure

AI Analysis

This patch addresses an authorization bypass vulnerability in Mastodon's severed_relationships_controller.rb by ensuring that users can only access their own account relationship severance events. The fix adds a scope to the query to enforce ownership, and includes test cases to verify the behavior.

Attack Type

auth_bypass

Complexity

trivial

Reliability

reliable

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

Loading exploit code...

Download ZIP Password: eip

Source

Platform Writeup

Type patch

Files 1

https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076

Authors

Claire

Vulnerability

CVE-2026-22246

Mastodon 4.3 - Info Disclosure

MEDIUM

CVSS 6.5