CVE-2026-50128
Received Received - Intake
Signature Bypass in Mastodon ActivityPub

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon’s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-50128
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mastodon mastodon From 4.3.0 (inc) to 4.5.11 (inc)
mastodon mastodon to 4.4.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-354 The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Mastodon versions from 4.3.0 until 4.5.11 and 4.4.18. Mastodon has a feature that allows websites to credit authors of their articles using the attributionDomains JSON-LD term to prevent false attribution claims. However, there is an error in how this term is defined, which makes Linked Data Signatures on the toot:attributionDomains property ineffective.

Because of this flaw, an attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon's signature verification.

This means that the attacker can forge or alter attribution information despite the presence of signature verification, undermining the integrity of author attribution.

Impact Analysis

This vulnerability allows an attacker to modify the attributionDomains value on a legitimately signed update, effectively bypassing signature verification.

As a result, false attribution claims can be made, which can lead to misinformation about the authorship of content.

This could damage trust in the authenticity of content shared on Mastodon instances and potentially harm reputations or mislead users.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mastodon to version 4.5.11 or 4.4.18 or later, where the issue with the attributionDomains JSON-LD term and signature verification has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart