Information Disclosure in Mastodon Social Network Server
CVE-2026-22246

6.5MEDIUM

Key Information:

Vendor

Mastodon

Status
Mastodon
Vendor
CVE Published:
8 January 2026

What is CVE-2026-22246?

Mastodon, the open-source social network server, introduced a feature to notify users about severed relationships resulting from moderation actions. However, a vulnerability exists in the code that allows any registered local user to access the list of lost followers and followed users from any severance event, thereby exposing sensitive relationship data. While the name of the account that lost these connections is not revealed, the potential for misuse of this information poses a risk. This issue has been addressed in the latest versions of Mastodon v4.3.17, v4.4.11, and v4.5.4.

Affected Version(s)

mastodon < 4.3.17 < 4.3.17

mastodon >= 4.4.0-beta.1, < 4.4.11 < 4.4.0-beta.1, 4.4.11

mastodon >= 4.5.0-beta.1, < 4.5.4 < 4.5.0-beta.1, 4.5.4

References

https://github.com/mastodon/mastodon/security/advisories/...
x_refsource_CONFIRM
https://github.com/mastodon/mastodon/commit/68e30985ca7af...
x_refsource_MISC
https://github.com/mastodon/mastodon/commit/b2bcd34486fd6...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.