Vulnerability in Mastodon FASP Feature Allows Unapproved Actions
CVE-2026-27468

4.8MEDIUM

Key Information:

Vendor: Mastodon
Status: Mastodon
Vendor: CVE Published:; 24 February 2026

What is CVE-2026-27468?

Mastodon, an open-source social networking server, has a vulnerability associated with its FASP (Federated Admin Subscription Protocol) feature, affecting versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6. This vulnerability arises when FASP is enabled for testing, allowing unapproved subscriptions to lifecycle events and content backfill requests. An attacker can exploit this to generate subscriptions without administrator consent, leading to potential Information leakage of publicly available URIs and creating Denial of Service (DOS) risks by overwhelming the sidekiq worker managing the FASP tasks. Users should upgrade to versions 4.4.14 or 4.5.7 to mitigate this risk. Servers that do not enable the experimental FASP feature are not impacted.

Affected Version(s)

mastodon >= 4.4.0, < 4.4.14 < 4.4.0, 4.4.14

mastodon >= 4.5.0, < 4.5.7 < 4.5.0, 4.5.7

References

https://github.com/mastodon/mastodon/security/advisories/...

x_refsource_CONFIRM

https://github.com/mastodon/mastodon/commit/6ba6285a73c3a...

x_refsource_MISC

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2026
Vulnerability Reserved
Feb 19, 2026

CVE-2026-27468 Data

JSON