Executive Summary

This vulnerability in Mastodon involves a missing condition in the verification process for remote accounts consenting to be featured in a remote Collection. An attacker can exploit this by forging the FeatureAuthorization object, which is supposed to confirm consent. Because the system does not properly check that the authorization object corresponds exactly to the account in the Collection, attackers can make it appear as if an unauthorized account has consented to be featured.

The issue affects Mastodon servers running the main branch or nightly builds that have enabled the experimental "Collections" feature by setting the EXPERIMENTAL_FEATURES environment variable to include collections. This flaw was patched in version 4.6.0-beta.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass consent verification and falsely include unauthorized accounts in Collections. This compromises data integrity because it allows manipulation of which accounts appear featured without proper authorization.

The vulnerability has a high severity score of 7.5 and can be exploited remotely without any privileges or user interaction, making it relatively easy for attackers to abuse if the experimental Collections feature is enabled.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects Mastodon servers running the main branch or nightly builds that have enabled the experimental "Collections" feature by setting the EXPERIMENTAL_FEATURES environment variable to include collections.

To detect if your system is vulnerable, first check if the EXPERIMENTAL_FEATURES environment variable includes "collections".

You can run the following command to check the environment variable on your server:

• echo $EXPERIMENTAL_FEATURES

If the output includes "collections", your server may be vulnerable if it is running an affected version.

Also, verify the Mastodon version by running:

• bundle exec mastodon --version

If the version is before 4.6.0-beta.1 or if you are running main branch or nightly builds prior to May 21, 2026, and have the collections feature enabled, your system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should disable the experimental "Collections" feature if it is enabled by removing "collections" from the EXPERIMENTAL_FEATURES environment variable.

Alternatively, upgrade your Mastodon server to version 4.6.0-beta.1 or later, which includes the patch that fixes this issue.

The patch includes validation checks to ensure that the FeatureAuthorization object cannot be forged, preventing unauthorized accounts from being featured in collections.

If upgrading immediately is not possible, disabling the collections feature will prevent exploitation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability impacts data integrity by allowing attackers to forge consent for featuring remote accounts in Collections, potentially leading to unauthorized inclusion of accounts. However, it does not affect data confidentiality or availability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to forge consent could raise concerns under regulations that require explicit user consent for data processing or sharing.

Organizations using affected Mastodon versions with the experimental Collections feature enabled should consider the risk of unauthorized data representation and ensure they apply the patch to maintain compliance with consent-related requirements.

Useful 0 Not Useful 0