CVE-2026-48028
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
Prior to versions 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures did not adequately protect against a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from third-party actors.
Risk Assessment
This vulnerability may lead to data manipulation within the system, posing a risk to the integrity of information and user trust in the platform.
Recommendation
It is recommended to upgrade to versions 4.5.10, 4.4.17, or 4.3.23 to mitigate this type of attack.
Original NVD description (English source)
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

