CVE-2026-27468

Name of the Vulnerable Software and Affected Versions Mastodon versions 4.4.0 through 4.4.13 Mastodon versions 4.5.0 through 4.5.6

Description Mastodon is a free, open-source social network server based on ActivityPub. The issue relates to FASP (Federated Actor Subscription Protocol) registration, which requires administrator approval. In affected versions, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not properly verify administrator approval. This only impacts Mastodon servers utilizing the experimental FASP feature, enabled by setting the EXPERIMENTAL FEATURES environment variable to include fasp. An attacker can create subscriptions and request content backfill without authorization. Repeated exploitation can lead to a denial-of-service (DOS) condition by overloading the fasp queue worker. The issue results in a potential information leak of publicly available URIs.

Recommendations Update to Mastodon version 4.4.14 Update to Mastodon version 4.5.7 Administrators actively testing the "fasp" feature should update their systems. Servers not using the experimental feature flag fasp are not affected.