CVE-2026-46348

Vulnerability Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make Mastodon perform HTTP requests against loopback interfaces, potentially allowing access to otherwise private resources and services. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

Vulnerability Details

Published Date

June 24, 2026

Last Modified

June 24, 2026

CWE ID

CWE-918

Source

NVD

Vendor

mastodon

Product

mastodon

External References

https://github.com/mastodon/mastodon/security/advisories/GHSA-crr4-7rm4-8gpw

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment