CVE Catalog

CVE-2026-50128

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

Mastodon, a social network server based on ActivityPub, has a vulnerability in versions from 4.3.0 to 4.5.11 and 4.4.18 that allows modification of the attributionDomains value in signed activities. An error in the definition of this term makes Linked Data signatures ineffective.

Risk Assessment

An attacker can introduce false authorship claims, leading to misinformation and loss of trust in the platform. This may also impact the reputation of organizations using Mastodon.

Recommendation

It is recommended to update Mastodon to versions 4.5.11 or 4.4.18 to eliminate this vulnerability. Regular monitoring and updating of software is crucial for maintaining security.

Original NVD description (English source)

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon’s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS