CVE-2026-46348
Deferred Deferred - Pending Action

IP Spoofing Bypass in Mastodon

Vulnerability report for CVE-2026-46348, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make Mastodon perform HTTP requests against loopback interfaces, potentially allowing access to otherwise private resources and services. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
mastodon mastodon 4.3.23
mastodon mastodon 4.4.17
mastodon mastodon 4.5.10
mastodon mastodon to 4.3.23 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Mastodon, an open-source social network server. Before certain fixed versions, Mastodon did not properly block a specific IP address range that can be used to access local IP addresses. An attacker could exploit this by making Mastodon send HTTP requests to loopback interfaces (local network addresses), potentially gaining access to private resources and services that should not be accessible externally.

Impact Analysis

The vulnerability allows an attacker to make Mastodon perform HTTP requests to local network addresses, which could expose private resources and services that are normally protected from external access. This could lead to unauthorized access to sensitive internal systems or data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mastodon to version 4.5.10, 4.4.17, or 4.3.23 or later, where the issue with the disallowed IP address ranges has been fixed.

Compliance Impact

This vulnerability allows an attacker to make Mastodon perform HTTP requests against loopback interfaces, potentially exposing private resources and services. Such unauthorized access to internal services could lead to exposure of sensitive data.

Exposure of sensitive data through this Server-Side Request Forgery (SSRF) vulnerability could impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access.

Therefore, until patched, this vulnerability may increase the risk of non-compliance with these standards due to potential data breaches or unauthorized data exposure.

Detection Guidance

This vulnerability involves Mastodon servers making unauthorized HTTP requests to local or loopback IP addresses due to an incomplete blocklist of disallowed IP ranges. Detection involves monitoring Mastodon server logs and network traffic for HTTP requests targeting local IP addresses, especially those in the IPv6 unspecified address range (::).

You can check Mastodon server logs for unusual outbound HTTP requests to local or loopback addresses. Additionally, network monitoring tools can be used to detect such traffic.

  • Use command-line tools like tcpdump or tshark to capture and filter HTTP requests from the Mastodon server to local IP ranges. For example:
  • tcpdump -i <interface> 'tcp port 80 or tcp port 443 and (dst net 127.0.0.0/8 or dst net ::1/128 or dst net ::/128)'
  • Use curl or wget commands on the Mastodon server to test if HTTP requests to local IP addresses are possible, e.g.: curl http://127.0.0.1 or curl http://[::1]

Review the Mastodon version installed and verify if it is prior to the patched versions 4.5.10, 4.4.17, or 4.3.23, as these versions contain the fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46348. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart