Missing Consent Check in Mastodon Social Network Server
CVE-2026-47777

7.5HIGH

Key Information:

Vendor: Mastodon
Status: Mastodon
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-47777?

Mastodon, an open-source social network server leveraging ActivityPub, suffers from a significant oversight concerning the validation of user consent for featuring accounts in Collections. Specifically, a missing condition allows attackers to circumvent the existing checks that authenticate whether remote accounts have indeed consented to be showcased. By manipulating the FeatureAuthorization object used for this verification, an attacker can misrepresent an account as having permission to appear in a Collection, bypassing this critical trust mechanism. This vulnerability affects only those Mastodon servers utilizing the main branch or nightly builds that have activated the experimental 'Collections' feature. A fix has been implemented in version 4.6.0-beta.1.

Affected Version(s)

mastodon >= nightly.2026-03-10, < 4.6.0-beta.1

References

https://github.com/mastodon/mastodon/security/advisories/...

x_refsource_CONFIRM

https://github.com/mastodon/mastodon/commit/22203f8aeb03e...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 19, 2026

CVE-2026-47777 Data

JSON