FKIE_CVE-2026-22246

Vulnerability from fkie_nvd - Published: 2026-01-08 16:16 - Updated: 2026-01-22 13:52
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4.
References
security-advisories@github.comhttps://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076Patch
security-advisories@github.comhttps://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adfPatch
security-advisories@github.comhttps://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57Patch
security-advisories@github.comhttps://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24Third Party Advisory
Impacted products
Vendor Product Version
joinmastodon mastodon *
joinmastodon mastodon *
joinmastodon mastodon *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B2706E5-A6D0-4790-A3E6-5DE023465AB2",
              "versionEndExcluding": "4.3.17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD92863A-CB76-45AA-BF4D-9870B24E8109",
              "versionEndExcluding": "4.4.11",
              "versionStartIncluding": "4.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3E8FBAF5-C7BC-4980-9780-50BA935D126B",
              "versionEndExcluding": "4.5.4",
              "versionStartIncluding": "4.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4."
    },
    {
      "lang": "es",
      "value": "Mastodon es un servidor de red social gratuito, de c\u00f3digo abierto, basado en ActivityPub. Mastodon 4.3 a\u00f1adi\u00f3 notificaciones de relaciones cortadas, permitiendo a los usuarios finales inspeccionar las relaciones que perdieron como resultado de una acci\u00f3n de moderaci\u00f3n. El c\u00f3digo que permite a los usuarios descargar listas de relaciones cortadas para un evento particular no verifica al propietario de la lista antes de devolver las relaciones perdidas. Cualquier usuario local registrado puede acceder a la lista de seguidores perdidos y usuarios seguidos causada por cualquier evento de corte, y revisar todos los eventos de corte de esta manera. La informaci\u00f3n filtrada no incluye el nombre de la cuenta que ha perdido seguimientos y seguidores. Esto ha sido corregido en Mastodon v4.3.17, v4.4.11 y v4.5.4."
    }
  ],
  "id": "CVE-2026-22246",
  "lastModified": "2026-01-22T13:52:28.883",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-08T16:16:02.957",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-201"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.