{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27477", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T19:46:03.539Z", "datePublished": "2026-02-24T19:00:20.590Z", "dateUpdated": "2026-02-26T19:29:12.052Z"}, "containers": {"cna": {"title": "Mastodon has SSRF via unvalidated FASP Provider base_url", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm"}, {"name": "https://github.com/mastodon/mastodon/commit/7b85d2182361e68d51d9a02f94fb1070b5f503b1", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/commit/7b85d2182361e68d51d9a02f94fb1070b5f503b1"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": ">= 4.4.0, < 4.4.14", "status": "affected"}, {"version": ">= 4.5.0, < 4.5.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T19:00:20.590Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental \"fasp\" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected."}], "source": {"advisory": "GHSA-46w6-g98f-wxqm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T19:10:24.251802Z", "id": "CVE-2026-27477", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:29:12.052Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8A96B12-8C08-4A0C-88A8-B7B2B7AED3BF", "versionEndExcluding": "4.4.14", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "65E9009A-6D3F-4758-8EAA-6D832F06F3F6", "versionEndExcluding": "4.5.7", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental \"fasp\" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected."}], "id": "CVE-2026-27477", "lastModified": "2026-02-26T21:17:15.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T20:27:50.173", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mastodon/mastodon/commit/7b85d2182361e68d51d9a02f94fb1070b5f503b1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Patch"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.4.0,4.4.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.5.0,4.5.7)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "mastodon", "source": "cna", "vendor": "mastodon"}, "product": "mastodon", "vendor": "joinmastodon"}], "analysis": {"en": {"generated_at": "2026-04-17T15:41:19.369146+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Mastodon to version 4.4.14 or newer, or version 4.5.7 or newer.", "If an upgrade cannot be performed immediately, temporarily disable the experimental fasp feature by removing fasp from the EXPERIMENTAL_FEATURES environment variable.", "Restrict FASP provider registrations to verified administrators and review any pending registrations once the patch is applied."], "summary": {"action": "Patch Update", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The issue affects Mastodon servers running version 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6 that have enabled the experimental FASP feature by setting the EXPERIMENTAL_FEATURES environment variable to include fasp. Servers using the official releases after 4.4.14 or 4.5.7, or those not exercising the fasp feature, are not impacted. The problem exists only for administrators who have approved the FASP registration process.", "description_and_impact": "This vulnerability allows an unauthenticated attacker to register a FASP provider with a base_url that points to an internal or local address. The Mastodon server then makes HTTP(S) requests to that address without validation. The attacker cannot control the full URL or access the response, but the forced requests can trigger vulnerabilities or other unintended behavior on internal systems. The weakness is a server\u2011side request forgery (CWE\u2011918).", "risk_and_exploitability": "With a CVSS score of 4.6 the severity is moderate, and the EPSS score is below 1%, indicating a low likelihood of exploitation in the real world. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker can exploit it without authentication, but must have the fasp feature enabled. The lack of response visibility limits the immediate affect, yet internal systems could be coerced into vulnerable actions. The risk is therefore modest but non\u2011zero for enabled systems."}}}}, "created": "2026-02-25T11:35:40.843847+00:00", "updated": "2026-04-17T15:45:15.904890+00:00", "vendors": ["joinmastodon", "joinmastodon$PRODUCT$mastodon"]}