CVE-2026-25540

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.3.19 Mastodon versions prior to 4.4.13 Mastodon versions prior to 4.5.6

Description Mastodon, a free, open-source social network server based on ActivityPub, contains a flaw related to web cache poisoning. When the AUTHORIZED FETCH setting is enabled, ActivityPub endpoints for pinned posts and featured hashtags rely on the account that signed the HTTP request. However, the system stores and reuses this content in an internal cache without considering the signing actor. This can lead to a scenario where content intended for legitimate users is served to blocked users, or vice versa, potentially exposing sensitive information or altering the user experience. The issue stems from improper handling of cached responses based on the requesting account. The vulnerable component is Rails.cache.

Recommendations Update Mastodon to version 4.3.19 or later. Update Mastodon to version 4.4.13 or later. Update Mastodon to version 4.5.6 or later.