Description
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3
Patch x_refsource_misc
https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3
Patch x_refsource_misc
https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6
Release Notes x_refsource_misc
https://github.com/mastodon/mastodon/releases/tag/v4.1.18
Release Notes x_refsource_misc
https://github.com/mastodon/mastodon/releases/tag/v4.2.10
Scores
CVSS v3
8.2
EPSS
0.0084
EPSS Percentile
74.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
joinmastodon/mastodon
2.6.0 - 4.1.18
Published
Jul 05, 2024
Tracked Since
Feb 18, 2026