Skip to content
CVSS 7.5 · HIGH

CVE-2026-41259

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.

Ver en NVD

Análisis

Mastodon versions prior to 4.5.9, 4.4.16, and 4.3.22 are vulnerable to a registration bypass. Attackers can use specifically crafted email addresses with characters that bypass domain-based restrictions, allowing unauthorized account creation on restricted or private instances. Administrators should update to the latest patched versions to maintain control over user sign-ups.

Severidad

Puntaje: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: NONE
I: HIGH
A: NONE
Tipo de falla (CWE): CWE-841

EPSS

Probabilidad de explotación (próx. 30 días): 0.0004 (0.0%)
Percentil: 11.9%
EPSS: 2026-05-06

Afecta

joinmastodon:mastodon

Descripción técnica

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.

Publicada: 23/4/2026, 19:17:30
Última modificación: 28/4/2026, 18:50:54

Referencias

InicioEventosBlogRecursosEquipo