CVE Catalog

CVE-2026-46349

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

Mastodon, a social network server based on ActivityPub, prior to versions 4.5.10, 4.4.17, and 4.3.23, improperly normalized incoming activities signed with Linked-Data Signatures, allowing attackers to manipulate valid signed JSON-LD activities from third-party actors.

Risk Assessment

This vulnerability may lead to unauthorized processing of activities, threatening data integrity and user security on the platform.

Recommendation

It is recommended to upgrade to versions 4.5.10, 4.4.17, or 4.3.23 to secure the system against this type of attack.

Original NVD description (English source)

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to re-arrange a valid signed JSON-LD activity from a third-party actor to have it processed differently. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS