CVE-2026-47777

June 15, 2026, 6:16 p.m.

7.5
High

Description

Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.

Product(s) Impacted

Vendor Product Versions
Mastodon
  • Mastodon
  • *, 4.6.0-beta.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-345
Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a mastodon mastodon / / / / / / / /
a mastodon mastodon 4.6.0-beta.1 / / / / / / /

References

https://github.com/mastodon/mastodon/commit/22203f8aeb03e8f14dc62e253e83db39825a5bcf
https://github.com/mastodon/mastodon/security/advisories/GHSA-vg36-gxjg-2v46

Tags

[email protected]
CWE-345
2026-06-15
CVE-2026-47777

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

    View Vector String

Timeline

Published: June 15, 2026, 6:16 p.m.
Last Modified: June 15, 2026, 6:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.