CVE-2026-46349
Received Received - Intake
Activity Spoofing in Mastodon Prior to 4.5.10

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to re-arrange a valid signed JSON-LD activity from a third-party actor to have it processed differently. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-46349
EUVD
EUVD-2026-39054
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mastodon mastodon to 4.5.10 (exc)
mastodon mastodon to 4.4.17 (exc)
mastodon mastodon to 4.3.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the vulnerability CVE-2026-46349 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-46349 is a vulnerability in Mastodon versions prior to 4.5.10, 4.4.17, and 4.3.23. It involves a flaw in the normalization of incoming activities signed with Linked-Data Signatures. Specifically, attackers can re-arrange a valid signed JSON-LD activity from a third-party actor, causing the activity to be processed differently than originally intended.

This issue is due to improper verification of cryptographic signatures (classified as CWE-347), allowing attackers to bypass signature protections by restructuring the JSON-LD named-graph.

Impact Analysis

The vulnerability allows attackers to re-issue retracted boosts (Announce activities) from third-party users without their involvement. This means that an attacker can manipulate signed activities to cause Mastodon to process them incorrectly, potentially leading to unauthorized actions appearing to come from legitimate users.

The severity is rated as Moderate with a CVSS score of 5.3, indicating that the attack has low complexity, requires no privileges, and no user interaction.

Detection Guidance

This vulnerability involves the manipulation of JSON-LD named-graph structures in Mastodon activities signed with Linked-Data Signatures. Detection would require monitoring incoming Mastodon activities for unusual or unexpected re-arrangements of signed JSON-LD data that could indicate exploitation attempts.

Since the vulnerability allows attackers to re-issue retracted boosts (Announce activities) from third-party users, one detection approach is to audit logs for unexpected or unauthorized re-boosts or activity replays.

No specific detection commands or tools are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Mastodon to a fixed version: v4.5.10, v4.4.17, or v4.3.23 or later.

Upgrading ensures that the normalization of incoming activities signed with Linked-Data Signatures properly protects against the spoofing attack described.

No other immediate mitigation steps or workarounds are detailed in the provided resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46349. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart