CVE Catalog

CVE-2026-48028

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

Prior to versions 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures did not adequately protect against a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from third-party actors.

Risk Assessment

This vulnerability may lead to data manipulation within the system, posing a risk to the integrity of information and user trust in the platform.

Recommendation

It is recommended to upgrade to versions 4.5.10, 4.4.17, or 4.3.23 to mitigate this type of attack.

Original NVD description (English source)

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS