CVE-2026-47777

HIGH EPSS 6.4%

Published Jun 15, 20262w ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Jun 15, 2026 2w ago

Last Modified Jun 17, 2026 1w ago

Description

Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

6.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-345

CWE-863 Incorrect Authorization Authorization

References 2

github.com https://github.com/mastodon/mastodon/commit/22203f8aeb03e8f14dc62e253e83db39825a5bcf
github.com https://github.com/mastodon/mastodon/security/advisories/GHSA-vg36-gxjg-2v46

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.