CVE-2026-22246 Overview
CVE-2026-22246 is an Insecure Direct Object Reference (IDOR) vulnerability in Mastodon, a free, open-source social network server based on ActivityPub. The vulnerability exists in the severed relationships notification feature introduced in Mastodon 4.3, which allows end-users to inspect relationships they lost as a result of moderation actions. Due to missing authorization checks, any registered local user can access the list of lost followers and followed users from any severance event on the instance.
Critical Impact
Any authenticated user can enumerate and download relationship data from all severance events on the instance, exposing sensitive social graph information that should only be accessible to the affected account owner.
Affected Products
- Mastodon versions 4.3.0 through 4.3.16
- Mastodon versions 4.4.0 through 4.4.10
- Mastodon versions 4.5.0 through 4.5.3
Discovery Timeline
- 2026-01-08 - CVE-2026-22246 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-22246
Vulnerability Analysis
This vulnerability stems from a missing authorization check in the SeveredRelationshipsController. When a user requests to download the list of severed relationships for a specific event, the controller retrieves the AccountRelationshipSeveranceEvent record by its ID without verifying that the requesting user is the owner of that event. This allows any authenticated user to access sensitive relationship data belonging to other users by simply iterating through event IDs.
The leaked information includes the list of lost followers and followed users caused by moderation actions such as domain blocks or account suspensions. While the vulnerability does not directly expose the account name that lost the relationships, an attacker could enumerate through all severance events and build a comprehensive view of moderation impacts and user relationships across the instance.
Root Cause
The root cause is a classic Insecure Direct Object Reference (IDOR) vulnerability where the application fails to implement proper access control checks before returning sensitive data. The set_event method in the controller uses a direct find query without scoping to the current user's account, allowing any authenticated user to access any severance event by manipulating the ID parameter.
Attack Vector
The attack vector is network-based and requires low privileges (any registered local user account). An attacker can exploit this vulnerability by:
- Authenticating to the Mastodon instance with any valid user account
- Making requests to the severed relationships download endpoint
- Iterating through sequential event IDs to enumerate all severance events on the instance
- Downloading the relationship lists for events belonging to other users
# Vulnerable code (before patch)
def set_event
@event = AccountRelationshipSeveranceEvent.find(params[:id])
end
# Fixed code (after patch)
def set_event
@event = AccountRelationshipSeveranceEvent.where(account: current_account).find(params[:id])
end
Source: GitHub Commit
Detection Methods for CVE-2026-22246
Indicators of Compromise
- Unusual patterns of requests to severed relationships endpoints with sequential or enumerated IDs
- High volume of requests to /severed_relationships/:id endpoints from a single user account
- Access logs showing requests to severance event IDs that don't belong to the requesting user
Detection Strategies
- Monitor application logs for requests to the severed relationships controller with varying event IDs
- Implement anomaly detection for users accessing multiple severance event records in short time periods
- Review access patterns for the /severed_relationships endpoint looking for enumeration behavior
Monitoring Recommendations
- Enable detailed logging for the SeveredRelationshipsController to capture all access attempts
- Set up alerts for high-frequency access to severance event endpoints
- Regularly audit access logs for patterns consistent with IDOR exploitation attempts
How to Mitigate CVE-2026-22246
Immediate Actions Required
- Upgrade Mastodon to version 4.3.17, 4.4.11, or 4.5.4 immediately
- Review application logs for potential exploitation attempts prior to patching
- Consider temporarily disabling the severed relationships download feature if immediate upgrade is not possible
Patch Information
Mastodon has released security patches addressing this vulnerability. The fix adds proper authorization checks by scoping the database query to the current user's account. Updated versions include:
- Mastodon v4.3.17 - View commit
- Mastodon v4.4.11 - View commit
- Mastodon v4.5.4 - View commit
For additional details, refer to the GitHub Security Advisory.
Workarounds
- If upgrading is not immediately possible, consider restricting access to the severed relationships feature at the web server level
- Implement rate limiting on the affected endpoints to slow potential enumeration attempts
- Monitor access logs closely for signs of exploitation while awaiting the upgrade window
# Example nginx rate limiting for the affected endpoint
location /severed_relationships {
limit_req zone=sensitive_endpoints burst=5 nodelay;
proxy_pass http://mastodon_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
