PT-2026-28106 · Mastodon · Mastodon
Theamanrawat
·
Publicado
2026-03-25
·
Atualizado
2026-03-31
·
CVE-2026-33868
CVSS v3.1
6.1
Média
| Vetor | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Mastodon versions prior to 4.5.8
Mastodon versions prior to 4.4.15
Mastodon versions prior to 4.3.21
Description
Mastodon, a free and open-source social network server based on ActivityPub, contains an unauthenticated Open Redirect issue in the
/web/* route. This is due to improper handling of URL-encoded path segments. An attacker can create a specially encoded URL that redirects users to an arbitrary external domain, potentially enabling phishing attacks and OAuth credential theft. The issue arises because URL-encoded slashes (%2F) bypass Rails path normalization and are interpreted as host-relative redirects.Recommendations
Update Mastodon to version 4.5.8 or later.
Update Mastodon to version 4.4.15 or later.
Update Mastodon to version 4.3.21 or later.
Exploit
Correção
Open Redirect
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Mastodon