CVE-2026-27468
Improper Authorization in Mastodon FASP Causes DoS Risk
Publication date: 2026-02-24
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joinmastodon | mastodon | From 4.4.0 (inc) to 4.4.14 (exc) |
| joinmastodon | mastodon | From 4.5.0 (inc) to 4.5.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27468 is a vulnerability in the Mastodon social network server affecting its experimental FASP (Federated Account Subscription Protocol) feature. In affected versions, actions performed by a FASP client to subscribe to account or content lifecycle events or to backfill content did not properly verify whether the FASP client was approved by an administrator.'}, {'type': 'paragraph', 'content': "This flaw allows an attacker to make unauthorized subscriptions and request content backfill without approval, potentially leaking minor publicly available information and enabling denial-of-service attacks by overloading the system's worker queue responsible for handling FASP tasks."}, {'type': 'paragraph', 'content': 'The vulnerability only affects Mastodon servers that have explicitly enabled the experimental FASP feature by setting the environment variable EXPERIMENTAL_FEATURES to include "fasp".'}] [2, 1]
How can this vulnerability impact me? :
If you are running a Mastodon server with the experimental FASP feature enabled, this vulnerability can allow attackers to subscribe to events and request content backfill without administrator approval.
The immediate impact includes minor information disclosure of URIs that are publicly available anyway.
More seriously, repeated exploitation can lead to a denial-of-service (DoS) condition by overwhelming the Sidekiq worker responsible for processing FASP queue jobs, which can degrade or disrupt service availability.
Servers not using the experimental FASP feature are not affected by this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability affects Mastodon servers that have enabled the experimental FASP feature by setting the environment variable EXPERIMENTAL_FEATURES to include "fasp". Detection involves verifying whether your Mastodon instance is running a vulnerable version (4.4.0 through 4.4.13 or 4.5.0 through 4.5.6) and if the experimental FASP feature is enabled.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts, monitor the Sidekiq worker queue for unusually high loads related to the "fasp" queue, which may indicate repeated unauthorized subscription or backfill requests.'}, {'type': 'paragraph', 'content': 'Specific commands to check your Mastodon version and environment variable settings include:'}, {'type': 'list_item', 'content': 'Check Mastodon version: `bundle exec mastodon --version` or check the version in your deployment configuration.'}, {'type': 'list_item', 'content': 'Check if the experimental FASP feature is enabled: `echo $EXPERIMENTAL_FEATURES` and look for the presence of "fasp".'}, {'type': 'list_item', 'content': 'Monitor Sidekiq queues for high load on the fasp queue: use `sidekiqctl stats` or check Sidekiq web UI for queue sizes and latency.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing Mastodon logs for unauthorized or repeated FASP subscription or backfill requests from unconfirmed providers may help detect exploitation attempts.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update your Mastodon server to a fixed version that addresses this vulnerability. Specifically, upgrade to Mastodon version 4.4.14 or later if you are on the 4.4.x branch, or 4.5.7 or later if you are on the 4.5.x branch.'}, {'type': 'paragraph', 'content': 'If you are actively using the experimental FASP feature (enabled via the EXPERIMENTAL_FEATURES environment variable including "fasp"), it is critical to apply this update promptly to ensure that only confirmed FASP providers can perform subscriptions and backfill requests.'}, {'type': 'paragraph', 'content': 'If you are not using the experimental FASP feature, your server is not affected by this vulnerability.'}, {'type': 'paragraph', 'content': 'As an immediate temporary measure, consider disabling the experimental FASP feature by removing "fasp" from the EXPERIMENTAL_FEATURES environment variable to prevent exploitation until you can update.'}, {'type': 'paragraph', 'content': 'Monitor your Sidekiq worker queues for unusual activity related to the fasp queue and investigate any suspicious load or errors.'}] [1, 2]