Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to re-arrange a valid signed JSON-LD activity from a third-party actor to have it processed differently. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Metrics
Affected Vendors & Products
References
History
Thu, 25 Jun 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 25 Jun 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Joinmastodon
Joinmastodon mastodon |
|
| Vendors & Products |
Joinmastodon
Joinmastodon mastodon |
Wed, 24 Jun 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to re-arrange a valid signed JSON-LD activity from a third-party actor to have it processed differently. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23. | |
| Title | Mastodon: LD-Signature Bypass via JSON-LD Named-Graph Restructuring | |
| Weaknesses | CWE-347 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-06-24T19:40:35.022Z
Updated: 2026-06-25T13:16:49.851Z
Reserved: 2026-05-13T18:37:30.990Z
Link: CVE-2026-46349
Updated: 2026-06-25T13:16:46.452Z
No data.
No data.