CVE-2026-33869 | THREATINT

Description

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.

PUBLISHED Reserved 2026-03-24 | Published 2026-03-27 | Updated 2026-03-27 | Assigner GitHub_M

MEDIUM: 4.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-863: Incorrect Authorization

Product status

>= 4.5.0, < 4.5.8

affected

>= 4.4.0, < 4.4.15

affected

References

github.com/...stodon/security/advisories/GHSA-q4g8-82c5-9h33

cve.org (CVE-2026-33869)

nvd.nist.gov (CVE-2026-33869)

Download JSON