Email Domain Filtering Flaw in Mastodon Social Network Server
CVE-2026-41259

8.2HIGH

Key Information:

Vendor: Mastodon
Status: Mastodon
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41259?

Mastodon, an open-source social network server based on ActivityPub, has a vulnerability in its email domain filtering mechanism. Prior to versions 4.5.9, 4.4.16, and 4.3.22, the platform allowed new user registrations with inadequate validation of email addresses. This oversight permitted some characters in email domains that certain mailing servers interpret differently, potentially leading to unauthorized access or user registration. Users are advised to update to the latest versions to mitigate this flaw.

Affected Version(s)

mastodon < 4.3.22 < 4.3.22

mastodon >= 4.4.0-beta.1, < 4.4.16 < 4.4.0-beta.1, 4.4.16

mastodon >= 4.5.0-beta.1, < 4.5.9 < 4.5.0-beta.1, 4.5.9

References

https://github.com/mastodon/mastodon/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41259 Data

JSON