CVE-2026-46348
Received Received - Intake
IP Spoofing Bypass in Mastodon

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make Mastodon perform HTTP requests against loopback interfaces, potentially allowing access to otherwise private resources and services. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-46348
EUVD
EUVD-2026-39053
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mastodon mastodon 4.3.23
mastodon mastodon 4.4.17
mastodon mastodon 4.5.10
mastodon mastodon to 4.3.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Mastodon, an open-source social network server. Before certain fixed versions, Mastodon did not properly block a specific IP address range that can be used to access local IP addresses. An attacker could exploit this by making Mastodon send HTTP requests to loopback interfaces (local network addresses), potentially gaining access to private resources and services that should not be accessible externally.

Impact Analysis

The vulnerability allows an attacker to make Mastodon perform HTTP requests to local network addresses, which could expose private resources and services that are normally protected from external access. This could lead to unauthorized access to sensitive internal systems or data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mastodon to version 4.5.10, 4.4.17, or 4.3.23 or later, where the issue with the disallowed IP address ranges has been fixed.

Compliance Impact

This vulnerability allows an attacker to make Mastodon perform HTTP requests against loopback interfaces, potentially exposing private resources and services. Such unauthorized access to internal services could lead to exposure of sensitive data.

Exposure of sensitive data through this Server-Side Request Forgery (SSRF) vulnerability could impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access.

Therefore, until patched, this vulnerability may increase the risk of non-compliance with these standards due to potential data breaches or unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46348. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart