Executive Summary

CVE-2026-33868 is an unauthenticated Open Redirect vulnerability in the Mastodon web application affecting versions prior to 4.5.8, 4.4.15, and 4.3.21. It exists in the `/web/*` route due to improper handling of URL-encoded path segments, specifically URL-encoded slashes (`%2F`). These encoded slashes bypass Rails path normalization, causing the application to interpret the path as a host-relative redirect.

An attacker can exploit this by crafting a specially encoded URL that redirects users to arbitrary external domains. This allows attackers to perform phishing attacks by leveraging trusted Mastodon URLs, harvest credentials through fake login pages, and intercept OAuth authorization codes when combined with login flows.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact users by enabling attackers to redirect them to malicious external websites using trusted Mastodon URLs. This can lead to phishing attacks where users may be tricked into providing sensitive information such as login credentials.

Additionally, attackers can intercept OAuth authorization codes during login flows, potentially leading to unauthorized access to user accounts. The vulnerability affects all visitors, including unauthenticated users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the Mastodon instance for improper handling of URL-encoded path segments in the `/web/*` route. Specifically, you can attempt to access URLs containing URL-encoded slashes (`%2F`) that cause redirects to external domains.

For example, you can use curl or similar HTTP clients to test if the server redirects to an arbitrary external domain when given a specially crafted URL.

• curl -I 'https://your-mastodon-instance/web/%2Fhttps://malicious.example.com'
• Observe the HTTP response headers for a Location header redirecting to the external domain.

If the server responds with a redirect to the external domain, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Mastodon instance to a fixed version. The vulnerability is patched in versions 4.5.8, 4.4.15, and 4.3.21.

If upgrading immediately is not possible, consider implementing web application firewall (WAF) rules to block requests containing URL-encoded slashes (`%2F`) in the `/web/*` route to prevent exploitation.

Additionally, educate users to be cautious of suspicious links that may redirect them to untrusted external domains.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability enables attackers to perform phishing attacks and potentially steal OAuth credentials by redirecting users to arbitrary external domains. This abuse of trust in legitimate Mastodon instance domains could lead to unauthorized access to user credentials and personal data.

Such unauthorized access and credential theft could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding user data and preventing unauthorized access.

However, the vulnerability itself does not directly disclose confidential data or availability but facilitates phishing and credential theft, which are relevant concerns under these regulations.

Useful 0 Not Useful 0