Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22246

CVE-2026-22246: Mastodon Information Disclosure Flaw

CVE-2026-22246 is an information disclosure vulnerability in Mastodon that exposes severed relationship data to unauthorized users. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2026-22246 Overview

CVE-2026-22246 is an Insecure Direct Object Reference (IDOR) vulnerability in Mastodon, a free, open-source social network server based on ActivityPub. The vulnerability exists in the severed relationships notification feature introduced in Mastodon 4.3, which allows end-users to inspect relationships they lost as a result of moderation actions. Due to missing authorization checks, any registered local user can access the list of lost followers and followed users from any severance event on the instance.

Critical Impact

Any authenticated user can enumerate and download relationship data from all severance events on the instance, exposing sensitive social graph information that should only be accessible to the affected account owner.

Affected Products

  • Mastodon versions 4.3.0 through 4.3.16
  • Mastodon versions 4.4.0 through 4.4.10
  • Mastodon versions 4.5.0 through 4.5.3

Discovery Timeline

  • 2026-01-08 - CVE-2026-22246 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2026-22246

Vulnerability Analysis

This vulnerability stems from a missing authorization check in the SeveredRelationshipsController. When a user requests to download the list of severed relationships for a specific event, the controller retrieves the AccountRelationshipSeveranceEvent record by its ID without verifying that the requesting user is the owner of that event. This allows any authenticated user to access sensitive relationship data belonging to other users by simply iterating through event IDs.

The leaked information includes the list of lost followers and followed users caused by moderation actions such as domain blocks or account suspensions. While the vulnerability does not directly expose the account name that lost the relationships, an attacker could enumerate through all severance events and build a comprehensive view of moderation impacts and user relationships across the instance.

Root Cause

The root cause is a classic Insecure Direct Object Reference (IDOR) vulnerability where the application fails to implement proper access control checks before returning sensitive data. The set_event method in the controller uses a direct find query without scoping to the current user's account, allowing any authenticated user to access any severance event by manipulating the ID parameter.

Attack Vector

The attack vector is network-based and requires low privileges (any registered local user account). An attacker can exploit this vulnerability by:

  1. Authenticating to the Mastodon instance with any valid user account
  2. Making requests to the severed relationships download endpoint
  3. Iterating through sequential event IDs to enumerate all severance events on the instance
  4. Downloading the relationship lists for events belonging to other users
ruby
# Vulnerable code (before patch)
def set_event
  @event = AccountRelationshipSeveranceEvent.find(params[:id])
end

# Fixed code (after patch)
def set_event
  @event = AccountRelationshipSeveranceEvent.where(account: current_account).find(params[:id])
end

Source: GitHub Commit

Detection Methods for CVE-2026-22246

Indicators of Compromise

  • Unusual patterns of requests to severed relationships endpoints with sequential or enumerated IDs
  • High volume of requests to /severed_relationships/:id endpoints from a single user account
  • Access logs showing requests to severance event IDs that don't belong to the requesting user

Detection Strategies

  • Monitor application logs for requests to the severed relationships controller with varying event IDs
  • Implement anomaly detection for users accessing multiple severance event records in short time periods
  • Review access patterns for the /severed_relationships endpoint looking for enumeration behavior

Monitoring Recommendations

  • Enable detailed logging for the SeveredRelationshipsController to capture all access attempts
  • Set up alerts for high-frequency access to severance event endpoints
  • Regularly audit access logs for patterns consistent with IDOR exploitation attempts

How to Mitigate CVE-2026-22246

Immediate Actions Required

  • Upgrade Mastodon to version 4.3.17, 4.4.11, or 4.5.4 immediately
  • Review application logs for potential exploitation attempts prior to patching
  • Consider temporarily disabling the severed relationships download feature if immediate upgrade is not possible

Patch Information

Mastodon has released security patches addressing this vulnerability. The fix adds proper authorization checks by scoping the database query to the current user's account. Updated versions include:

For additional details, refer to the GitHub Security Advisory.

Workarounds

  • If upgrading is not immediately possible, consider restricting access to the severed relationships feature at the web server level
  • Implement rate limiting on the affected endpoints to slow potential enumeration attempts
  • Monitor access logs closely for signs of exploitation while awaiting the upgrade window
bash
# Example nginx rate limiting for the affected endpoint
location /severed_relationships {
    limit_req zone=sensitive_endpoints burst=5 nodelay;
    proxy_pass http://mastodon_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne