Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27477

CVE-2026-27477: Joinmastodon Mastodon SSRF Vulnerability

CVE-2026-27477 is an SSRF vulnerability in Joinmastodon Mastodon affecting the experimental FASP feature. Attackers can force internal requests through malicious base_url registration. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-27477 Overview

CVE-2026-27477 is a Server-Side Request Forgery (SSRF) vulnerability affecting Mastodon, the free, open-source social network server based on ActivityPub. The vulnerability exists in the experimental FASP (Fediverse Auxiliary Service Providers) registration feature, where an unauthenticated attacker can register a FASP with an attacker-controlled base_url that includes or resolves to a local or internal address. This causes the Mastodon server to make unintended HTTP(S) requests to internal systems.

Critical Impact

Unauthenticated attackers can force Mastodon servers to make requests to internal network resources, potentially triggering vulnerabilities or undesired behavior in backend systems.

Affected Products

  • Mastodon versions 4.4.0 through 4.4.13
  • Mastodon versions 4.5.0 through 4.5.6
  • Only servers with EXPERIMENTAL_FEATURES environment variable including fasp

Discovery Timeline

  • 2026-02-24 - CVE-2026-27477 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-27477

Vulnerability Analysis

This SSRF vulnerability (CWE-918) exists in the FASP registration workflow of Mastodon. The FASP feature, still in experimental status, allows third-party service providers to register with Mastodon instances. While registration requires manual administrator approval, the vulnerability occurs during the initial registration phase before approval takes place.

An unauthenticated attacker can submit a FASP registration request with a malicious base_url parameter pointing to internal network addresses (such as 127.0.0.1, localhost, or private IP ranges). The Mastodon server then makes HTTP(S) requests to these internal addresses when processing the registration. Although the attacker cannot control the complete URL path (only the prefix) and cannot observe the responses, the ability to trigger requests to internal services can lead to serious consequences including triggering vulnerabilities in backend systems, accessing metadata services, or causing unintended side effects.

Root Cause

The root cause is insufficient validation of the base_url parameter in FASP registration requests. The original implementation used the standard HTTP library socket class directly without the SSRF protections implemented in Mastodon's custom Request::Socket class. This custom socket class contains safeguards against requests to internal and private IP addresses, but the FASP request handling code bypassed these protections.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker submits a FASP registration request to a vulnerable Mastodon server with a base_url pointing to an internal service:

  1. Attacker identifies a Mastodon instance with the experimental FASP feature enabled
  2. Attacker crafts a FASP registration request with a malicious base_url (e.g., http://169.254.169.254/ for cloud metadata services or http://127.0.0.1:6379/ for internal Redis)
  3. The Mastodon server processes the registration and makes HTTP requests to the specified internal address
  4. While the attacker cannot see responses, internal services may execute commands or expose data through side effects

The fix re-uses Mastodon's existing custom socket class that includes SSRF protections:

ruby
     response = HTTP
       .headers(headers)
       .use(http_signature: { key:, covered_components: COVERED_COMPONENTS })
-      .send(verb, url, body:)
+      .send(verb, url, body:, socket_class: ::Request::Socket)

     validate!(response)
     @provider.delivery_failure_tracker.track_success!

Source: GitHub Commit 7b85d21

The patch modifies app/lib/fasp/request.rb to use the ::Request::Socket class instead of the default socket class. This ensures FASP requests go through the same SSRF filtering applied to other outbound requests in Mastodon.

Detection Methods for CVE-2026-27477

Indicators of Compromise

  • Unusual FASP registration requests with base_url values pointing to private IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
  • FASP registrations with base_url containing localhost, 127.0.0.1, or ::1
  • Outbound HTTP connections from the Mastodon server to internal services or cloud metadata endpoints (169.254.169.254)

Detection Strategies

  • Monitor FASP registration logs for suspicious base_url entries containing internal or private addresses
  • Implement network-level detection for outbound connections from Mastodon servers to private IP ranges
  • Review web server access logs for POST requests to FASP registration endpoints with unusual parameters
  • Alert on Mastodon server connections to common internal service ports (6379/Redis, 11211/Memcached, 5432/PostgreSQL)

Monitoring Recommendations

  • Enable verbose logging for FASP-related activities if the experimental feature is in use
  • Deploy network segmentation monitoring to detect unexpected internal traffic from DMZ-hosted Mastodon instances
  • Configure cloud provider security tools to alert on metadata service access from application servers

How to Mitigate CVE-2026-27477

Immediate Actions Required

  • Update Mastodon to version 4.4.14 or 4.5.7 immediately if using the experimental FASP feature
  • If unable to update immediately, disable the FASP feature by removing fasp from the EXPERIMENTAL_FEATURES environment variable
  • Review FASP registration logs for any suspicious activity prior to patching
  • Audit network traffic from Mastodon servers to identify potential exploitation attempts

Patch Information

The fix is included in Mastodon versions 4.4.14 and 4.5.7. The patch modifies the FASP request handling in app/lib/fasp/request.rb to use the custom Request::Socket class that implements SSRF protections. Administrators should obtain the update from the official Mastodon repository. For more details, see the GitHub Security Advisory GHSA-46w6-g98f-wxqm.

Workarounds

  • Disable the experimental FASP feature by modifying the EXPERIMENTAL_FEATURES environment variable to exclude fasp
  • Implement network-level controls to prevent the Mastodon server from connecting to internal networks
  • Deploy a web application firewall (WAF) to filter FASP registration requests containing internal IP addresses
bash
# Disable FASP feature in Mastodon environment
# Remove 'fasp' from EXPERIMENTAL_FEATURES in your .env.production file
# Example - if your current setting is:
# EXPERIMENTAL_FEATURES=fasp,other_feature
# Change to:
# EXPERIMENTAL_FEATURES=other_feature

# Restart Mastodon services after modification
systemctl restart mastodon-web mastodon-sidekiq mastodon-streaming

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne