CVE-2026-33869

MEDIUM

Mastodon Quote Authorization - Denial of Service

Title source: manual

Description

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33

Scores

CVSS v3 4.8

EPSS 0.0017

EPSS Percentile 6.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (3)

joinmastodon/mastodon 4.4.0 - 4.4.15

mastodon/mastodon >= 4.4.0, < 4.4.15

mastodon/mastodon >= 4.5.0, < 4.5.8

Published Mar 27, 2026

Tracked Since Mar 29, 2026