Open-Source Social Network Server Vulnerability in Mastodon
CVE-2026-27477

4.6MEDIUM

Key Information:

Vendor: Mastodon
Status: Mastodon
Vendor: CVE Published:; 24 February 2026

What is CVE-2026-27477?

Mastodon is impacted by a security flaw that allows unauthenticated attackers to register a FASP with a base URL of their choice, potentially leading to internal address resolution. This vulnerability can enable attackers to manipulate the Mastodon server into making requests to local systems, which could trigger unforeseen behavior or reveal vulnerabilities within those systems. This issue primarily affects instances using the experimental FASP feature set by the environment variable EXPERIMENTAL_FEATURES. Updates in version 4.4.14 and 4.5.7 address this issue, and administrators actively testing the feature should ensure their systems are updated. Instances not utilizing the ‘fasp’ feature are not at risk.

Affected Version(s)

mastodon >= 4.4.0, < 4.4.14 < 4.4.0, 4.4.14

mastodon >= 4.5.0, < 4.5.7 < 4.5.0, 4.5.7

References

https://github.com/mastodon/mastodon/security/advisories/...

x_refsource_CONFIRM

https://github.com/mastodon/mastodon/commit/7b85d2182361e...

x_refsource_MISC

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2026
Vulnerability Reserved
Feb 19, 2026

CVE-2026-27477 Data

JSON