CVE-2026-33869
Quote Handling Vulnerability in Mastodon 4.4.x and 4.5.x
Publication date: 2026-03-27
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joinmastodon | mastodon | From 4.4.0 (inc) to 4.4.15 (exc) |
| joinmastodon | mastodon | From 4.5.0 (inc) to 4.5.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a moderate severity denial of service (DoS) issue that affects the availability of the Mastodon server when processing quotes. It does not impact confidentiality or data protection directly, as there is no confidentiality loss or data breach associated with this vulnerability.
Since the vulnerability does not involve unauthorized access to personal data or data leakage, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal data.
However, the partial impact on availability could potentially affect service availability requirements under some regulations or organizational policies, but there is no explicit information linking this vulnerability to compliance failures in the provided resources.
Can you explain this vulnerability to me?
CVE-2026-33869 is a moderate severity denial of service (DoS) vulnerability affecting the Mastodon social networking software, specifically versions prior to 4.5.8 and 4.4.15.
The issue occurs during the processing of quote authorizations: an attacker who knows of a quote before it reaches the server can prevent the server from correctly processing that quote.
This causes a denial of service condition on the affected Mastodon server.
Mastodon versions 4.3 and earlier are not affected because they do not support quotes.
The vulnerability has been patched in Mastodon versions 4.5.8 and 4.4.15.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition on a Mastodon server by preventing it from correctly processing certain quote authorizations.
The impact includes a partial loss of availability of the affected service.
The CVSS v3.1 score indicates a low impact on integrity and availability, with no impact on confidentiality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Mastodon server to version 4.5.8 or later if you are on the 4.5.x branch, or to version 4.4.15 or later if you are on the 4.4.x branch.
Versions 4.3 and earlier are not affected as they do not support quotes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.