{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25540", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.375Z", "datePublished": "2026-02-04T21:42:09.460Z", "dateUpdated": "2026-02-05T18:30:11.981Z"}, "containers": {"cna": {"title": "Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)", "problemTypes": [{"descriptions": [{"cweId": "CWE-524", "lang": "en", "description": "CWE-524: Use of Cache Containing Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": "< 4.3.19", "status": "affected"}, {"version": "< 4.4.13", "status": "affected"}, {"version": "< 4.5.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:42:09.460Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6."}], "source": {"advisory": "GHSA-ccpr-m53r-mfwr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T18:30:03.654017Z", "id": "CVE-2026-25540", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T18:30:11.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25540", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T18:30:03.654017Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T18:30:08.257Z"}}], "cna": {"title": "Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)", "source": {"advisory": "GHSA-ccpr-m53r-mfwr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"status": "affected", "version": "< 4.3.19"}, {"status": "affected", "version": "< 4.4.13"}, {"status": "affected", "version": "< 4.5.6"}]}], "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr", "name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-524", "description": "CWE-524: Use of Cache Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:42:09.460Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25540", "state": "PUBLISHED", "dateUpdated": "2026-02-05T18:30:11.981Z", "dateReserved": "2026-02-02T19:59:47.375Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T21:42:09.460Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C5EDBA6-4837-43AB-AEF3-C61A974B5017", "versionEndExcluding": "4.3.19", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A55C7B9-3FC4-4DB8-8C33-8C3435A54F63", "versionEndExcluding": "4.4.13", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3A0CD1A-0EC2-43E3-8273-D3D06A65A2D9", "versionEndExcluding": "4.5.6", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6."}, {"lang": "es", "value": "Mastodon es un servidor de red social gratuito, de c\u00f3digo abierto, basado en ActivityPub. Antes de las versiones 4.3.19, 4.4.13, 4.5.6, Mastodon es vulnerable al envenenamiento de cach\u00e9 web a trav\u00e9s de 'Rails.cache'. Cuando AUTHORIZED_FETCH est\u00e1 habilitado, los puntos finales de ActivityPub para publicaciones fijadas y hashtags destacados tienen contenidos que dependen de la cuenta que firm\u00f3 la solicitud HTTP. Sin embargo, estos contenidos se almacenan en una cach\u00e9 interna y se reutilizan sin tener en cuenta al actor firmante. Como resultado, una respuesta vac\u00eda generada para una cuenta de usuario bloqueada puede ser servida a solicitudes de actores leg\u00edtimos no bloqueados, o, a la inversa, contenido destinado a actores no bloqueados puede ser devuelto a actores bloqueados. Este problema ha sido parcheado en las versiones 4.3.19, 4.4.13, 4.5.6."}], "id": "CVE-2026-25540", "lastModified": "2026-02-20T21:02:56.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T22:16:00.233", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-524"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:44:24.133399+00:00", "value": {"mitigation_remediation": ["Upgrade Mastodon to version\u202f4.3.19,\u202f4.4.13,\u202f4.5.6 or later to apply the cache\u2011key fix.", "Verify that the AUTHORIZED_FETCH configuration is correctly set and use it only if necessary.", "After upgrading, clear existing Rails.cache entries to ensure no poisoned content remains in the cache."], "summary": {"action": "Apply Patch", "impact": "Web cache poisoning that can lead to disclosure or misdelivery of ActivityPub content"}, "threat_synthesis": {"affected_systems": "Mastodon, the open\u2011source social network server based on ActivityPub. All releases before 4.3.19, 4.4.13, and 4.5.6 are affected. The vulnerability manifests when the AUTHORIZED_FETCH setting is enabled and the Rails cache is used for ActivityPub collection responses.", "description_and_impact": "Mastodon prior to versions 4.3.19, 4.4.13, and 4.5.6 stored content retrieved from the ActivityPub endpoints for pinned posts and featured hashtags in an internal cache that ignores the signature of the requesting actor. If an actor is blocked, the cached response may be an empty or incomplete payload; if an actor is authorized, the cached response may contain content intended for other actors. The vulnerability allows legitimate users to receive incorrect or potentially sensitive data, undermining the integrity of the content served and exposing the platform to information leakage.", "risk_and_exploitability": "The CVSS score of 6.5 reflects moderate impact, while the EPSS score of less than 1% indicates a low probability of ongoing exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the issue by making requests to the pinned posts or featured hashtags endpoints while signed as an actor whose cache key is shared across different actors. If the attacker controls a blocked actor account, they may receive empty responses, and if they control a non\u2011blocked actor, they may obtain content meant for other actors. The attack requires authentication to sign requests but can be performed either by a legitimate user or a compromised account. Because the cache persists across requests, the exploit can affect many users until the cache is purged or the application is updated."}}}}, "created": "2026-02-05T11:39:20.607842+00:00", "updated": "2026-04-18T13:45:45.682644+00:00", "vendors": ["joinmastodon", "joinmastodon$PRODUCT$mastodon"]}