CVE-2026-27477

Name of the Vulnerable Software and Affected Versions Mastodon versions 4.4.0 through 4.4.13 Mastodon versions 4.5.0 through 4.5.6

Description Mastodon is a free, open-source social network server based on ActivityPub. A flaw exists in FASP registration where an unauthenticated attacker can register a FASP with a chosen base url that points to a local or internal address. This can cause the Mastodon server to make requests to that address. This issue only impacts Mastodon servers with the experimental FASP feature enabled via the EXPERIMENTAL FEATURES environment variable, specifically when it includes fasp. An attacker can force the server to make http(s) requests to internal systems, potentially triggering vulnerabilities or undesired behavior in those systems. The attacker cannot control the complete URL or view the request results, but can influence the URL prefix.

Recommendations Mastodon version 4.4.14 or later Mastodon version 4.5.7 or later For administrators actively testing the experimental "fasp" feature, update your systems to the latest version. Servers not using the experimental feature flag fasp are not affected.