CVE-2026-50128
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
Mastodon, a social network server based on ActivityPub, has a vulnerability in versions from 4.3.0 to 4.5.11 and 4.4.18 that allows modification of the attributionDomains value in signed activities. An error in the definition of this term makes Linked Data signatures ineffective.
Risk Assessment
An attacker can introduce false authorship claims, leading to misinformation and loss of trust in the platform. This may also impact the reputation of organizations using Mastodon.
Recommendation
It is recommended to update Mastodon to versions 4.5.11 or 4.4.18 to eliminate this vulnerability. Regular monitoring and updating of software is crucial for maintaining security.
Original NVD description (English source)
Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon’s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18.

