CVE-2026-25540 Overview
CVE-2026-25540 is a web cache poisoning vulnerability affecting Mastodon, the popular free, open-source social network server based on ActivityPub. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags improperly cache responses without considering the signing actor, allowing cached content intended for one user to be served to another. This vulnerability can lead to information disclosure where blocked users receive content they shouldn't have access to, or legitimate users receive empty responses cached from blocked user requests.
Critical Impact
Attackers can exploit improper cache handling to bypass user blocking functionality, potentially exposing private content to blocked accounts or disrupting service for legitimate users through cache poisoning.
Affected Products
- Mastodon versions prior to 4.3.19
- Mastodon versions prior to 4.4.13
- Mastodon versions prior to 4.5.6
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-25540 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-25540
Vulnerability Analysis
This web cache poisoning vulnerability stems from improper use of Rails.cache in Mastodon's ActivityPub implementation. When AUTHORIZED_FETCH is enabled, the server verifies HTTP signatures to authenticate requests from remote ActivityPub actors. The ActivityPub endpoints for pinned posts (/users/:username/collections/featured) and featured hashtags generate responses that vary based on the requesting actor's relationship with the account owner—specifically whether the requester is blocked.
The core issue is that these dynamically generated responses are stored in an internal cache without incorporating the signing actor's identity as part of the cache key. This creates a classic cache poisoning scenario where the first request to populate the cache determines what all subsequent requesters will receive, regardless of their individual access permissions.
Root Cause
The root cause is classified as CWE-524 (Use of Cache Containing Sensitive Information). The Mastodon application caches responses from ActivityPub endpoints without properly varying the cache based on the authenticated actor. The cache implementation fails to account for the fact that response content is dependent on the relationship between the requesting actor and the resource owner. This architectural flaw means that access control decisions made during the initial request are incorrectly applied to all subsequent cached responses.
Attack Vector
The attack vector is network-based and requires no user interaction. An attacker with a blocked account can exploit this vulnerability by being the first to request a victim's pinned posts or featured hashtags endpoint. When the server generates an empty response (because the attacker is blocked) and caches it, legitimate federated servers requesting the same endpoint will receive the cached empty response instead of the actual content. Conversely, if a legitimate actor's request is cached first, a blocked actor could subsequently access content they should be restricted from viewing.
The attack is particularly effective in federated environments where multiple ActivityPub servers interact with a Mastodon instance. The timing of cache population and cache expiration windows creates opportunities for exploitation.
Detection Methods for CVE-2026-25540
Indicators of Compromise
- Unexpected empty responses from ActivityPub endpoints for pinned posts or featured hashtags
- User reports of blocked accounts still being able to view pinned posts or hashtags
- Inconsistent federation behavior where some servers receive content while others receive empty responses
- Anomalous patterns in HTTP signature verification logs showing blocked accounts accessing cached content
Detection Strategies
- Monitor ActivityPub endpoint response patterns for inconsistencies between authenticated actors
- Implement logging to track cache hits and misses on sensitive ActivityPub endpoints
- Audit HTTP signature verification logs for requests from known blocked accounts receiving non-empty responses
- Compare federated content retrieval results across multiple external servers to identify caching anomalies
Monitoring Recommendations
- Enable detailed logging for Rails.cache operations on ActivityPub endpoints
- Set up alerts for unusual patterns in blocked account activity
- Monitor cache hit ratios and response sizes for featured content endpoints
- Implement federation health checks to verify consistent content delivery across federated instances
How to Mitigate CVE-2026-25540
Immediate Actions Required
- Upgrade Mastodon to version 4.3.19, 4.4.13, or 4.5.6 depending on your current release branch
- Clear existing Rails cache after upgrading to remove any poisoned cache entries
- Review blocked account lists and verify blocking functionality is operating correctly post-patch
- Notify federated instance administrators of the vulnerability and patching requirements
Patch Information
Mastodon has released security patches addressing this vulnerability in versions 4.3.19, 4.4.13, and 4.5.6. These patches modify the caching behavior to properly incorporate the requesting actor's identity into cache keys, ensuring that responses are appropriately varied based on the authenticated actor's permissions. Administrators should upgrade to the appropriate patched version for their release branch immediately.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Temporarily disable AUTHORIZED_FETCH if the security implications are acceptable for your deployment
- Implement reverse proxy caching rules that vary on HTTP signature headers for affected endpoints
- Reduce cache TTL for ActivityPub featured content endpoints to minimize the poisoning window
- Consider temporarily removing pinned posts and featured hashtags until patching is complete
# Clear Rails cache after patching (run from Mastodon installation directory)
RAILS_ENV=production bundle exec rails runner 'Rails.cache.clear'
# Verify Mastodon version after upgrade
cat VERSION
# Expected: 4.3.19, 4.4.13, or 4.5.6 depending on branch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
