CVE-2026-33869
Received Received - Intake
Quote Handling Vulnerability in Mastodon 4.4.x and 4.5.x

Publication date: 2026-03-27

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33869
EUVD
EUVD-2026-16785
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
joinmastodon mastodon From 4.4.0 (inc) to 4.4.15 (exc)
joinmastodon mastodon From 4.5.0 (inc) to 4.5.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a moderate severity denial of service (DoS) issue that affects the availability of the Mastodon server when processing quotes. It does not impact confidentiality or data protection directly, as there is no confidentiality loss or data breach associated with this vulnerability.

Since the vulnerability does not involve unauthorized access to personal data or data leakage, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal data.

However, the partial impact on availability could potentially affect service availability requirements under some regulations or organizational policies, but there is no explicit information linking this vulnerability to compliance failures in the provided resources.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.

Executive Summary

CVE-2026-33869 is a moderate severity denial of service (DoS) vulnerability affecting the Mastodon social networking software, specifically versions prior to 4.5.8 and 4.4.15.

The issue occurs during the processing of quote authorizations: an attacker who knows of a quote before it reaches the server can prevent the server from correctly processing that quote.

This causes a denial of service condition on the affected Mastodon server.

Mastodon versions 4.3 and earlier are not affected because they do not support quotes.

The vulnerability has been patched in Mastodon versions 4.5.8 and 4.4.15.

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition on a Mastodon server by preventing it from correctly processing certain quote authorizations.

The impact includes a partial loss of availability of the affected service.

The CVSS v3.1 score indicates a low impact on integrity and availability, with no impact on confidentiality.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Mastodon server to version 4.5.8 or later if you are on the 4.5.x branch, or to version 4.4.15 or later if you are on the 4.4.x branch.

Versions 4.3 and earlier are not affected as they do not support quotes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33869. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart