CVE-2026-25540
Unknown Unknown - Not Provided
Web Cache Poisoning in Mastodon ActivityPub Endpoints

Publication date: 2026-02-04

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25540
EUVD
EUVD-2026-5329
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
joinmastodon mastodon to 4.3.19 (exc)
joinmastodon mastodon From 4.4.0 (inc) to 4.4.13 (exc)
joinmastodon mastodon From 4.5.0 (inc) to 4.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Mastodon, an open-source social network server. Before certain fixed versions, Mastodon’s caching mechanism for ActivityPub endpoints could serve cached content based on the account that signed the HTTP request without properly isolating cache entries per user. Specifically, when AUTHORIZED_FETCH is enabled, responses for pinned posts and featured hashtags depend on the requesting account, but the cache does not differentiate between different users.

As a result, cached responses intended for one user (such as an empty response for a blocked user) could be served to other users (including legitimate non-blocked users), or vice versa. This is known as web cache poisoning and can cause incorrect or unintended content to be delivered to users.

Impact Analysis

This vulnerability can lead to users receiving incorrect or unintended content. For example, a legitimate user might receive an empty response if the cache was poisoned by a blocked user's request, or a blocked user might see content meant only for non-blocked users.

Such behavior can cause confusion, degrade user experience, and potentially expose information inconsistently. It may also undermine trust in the platform's content delivery and user access controls.

The vulnerability has a CVSS base score of 6.5, indicating a medium severity with impacts on confidentiality and availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mastodon to one of the patched versions: 4.3.19, 4.4.13, or 4.5.6.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25540. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart