CVE-2026-48028
Received Received - Intake
Signature Spoofing in Mastodon Prior to 4.5.10

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-48028
EUVD
EUVD-2026-39056
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mastodon mastodon to 4.5.10 (inc)
mastodon mastodon to 4.4.17 (inc)
mastodon mastodon to 4.3.23 (inc)
mastodon mastodon to 4.3.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-354 The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Mastodon, an open-source social network server. Before certain fixed versions (4.5.10, 4.4.17, and 4.3.23), Mastodon's process for normalizing incoming activities signed with Linked-Data Signatures did not adequately protect against a specific type of spoofing attack.

Specifically, threat actors could exploit this weakness to remove JSON entries from valid signed activities that originated from a third-party actor, potentially altering the content or intent of those activities.

Impact Analysis

The vulnerability allows attackers to manipulate signed activities by removing JSON entries, which can lead to integrity issues in the data received by Mastodon servers.

This manipulation could result in misleading or incomplete information being processed or displayed, potentially impacting the reliability and trustworthiness of the social network interactions.

According to the CVSS score (6.5), the vulnerability has a moderate severity with impacts on integrity and availability, meaning it could cause some disruption or data alteration without compromising confidentiality.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Mastodon server to version 4.5.10, 4.4.17, or 4.3.23 or later, where the issue has been fixed.

Compliance Impact

The provided information does not specify how CVE-2026-48028 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48028. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart