{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41259", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T14:01:46.801Z", "datePublished": "2026-04-23T18:55:20.854Z", "dateUpdated": "2026-04-23T19:24:15.567Z"}, "containers": {"cna": {"title": "Mastodon: Insufficient verification of email addresses", "problemTypes": [{"descriptions": [{"cweId": "CWE-841", "lang": "en", "description": "CWE-841: Improper Enforcement of Behavioral Workflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": "< 4.3.22", "status": "affected"}, {"version": ">= 4.4.0-beta.1, < 4.4.16", "status": "affected"}, {"version": ">= 4.5.0-beta.1, < 4.5.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T18:55:20.854Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22."}], "source": {"advisory": "GHSA-5r37-qpwq-2jhh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T19:23:56.034984Z", "id": "CVE-2026-41259", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T19:24:15.567Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41259", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T19:23:56.034984Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T19:24:12.583Z"}}], "cna": {"title": "Mastodon: Insufficient verification of email addresses", "source": {"advisory": "GHSA-5r37-qpwq-2jhh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"status": "affected", "version": "< 4.3.22"}, {"status": "affected", "version": ">= 4.4.0-beta.1, < 4.4.16"}, {"status": "affected", "version": ">= 4.5.0-beta.1, < 4.5.9"}]}], "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh", "name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-841", "description": "CWE-841: Improper Enforcement of Behavioral Workflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T18:55:20.854Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41259", "state": "PUBLISHED", "dateUpdated": "2026-04-23T19:24:15.567Z", "dateReserved": "2026-04-18T14:01:46.801Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T18:55:20.854Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFC3E504-AD0E-419F-92CD-6D9BBB400C55", "versionEndExcluding": "4.3.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A46E8CF-36DF-4A93-AF47-9B4A129D8E87", "versionEndExcluding": "4.4.16", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "82AB4B93-8B3E-4A04-BE44-BF4B1D924132", "versionEndExcluding": "4.5.9", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22."}], "id": "CVE-2026-41259", "lastModified": "2026-04-28T18:50:54.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T19:17:30.027", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-841"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.22)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.4.0-beta.1,4.4.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.5.0-beta.1,4.5.9)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "mastodon", "source": "cna", "vendor": "mastodon"}, "product": "mastodon", "vendor": "joinmastodon"}], "analysis": {"en": {"generated_at": "2026-04-28T14:46:33.333790+00:00", "value": {"mitigation_remediation": ["Upgrade Mastodon to version 4.5.9, 4.4.16, or 4.3.22 to apply the official fix issued for this issue", "If an upgrade is not immediately possible, disable or remove domain\u2011based email restrictions to prevent bypass through malformed addresses", "Implement your own server\u2011side email validation that rejects characters that may be interpreted differently by mail servers, in line with best practices for input validation targeting CWE\u2011841"], "summary": {"action": "Apply patch", "impact": "Unauthorized Registration"}, "threat_synthesis": {"affected_systems": "The affected product is Mastodon distributed by the mastodon vendor. Versions prior to 4.5.9, 4.4.16, and 4.3.22 are vulnerable. Users running any earlier release of the software are impacted until they update to one of the patched versions.", "description_and_impact": "Mastodon allows new user registration to be limited by email domain name but performs insufficient validation of the email addresses submitted. The system does not prevent characters that can be interpreted differently by certain mail servers, allowing an attacker to register an account with a deceptively valid address. While the vulnerability does not provide immediate remote code execution, it can enable an attacker to create accounts that bypass domain restrictions, potentially facilitating social engineering, spam, or other malicious activities on the platform.", "risk_and_exploitability": "The CVSS score of 8.2 indicates high severity. The EPSS score of less than 1% suggests that exploitation is currently considered unlikely, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a remote user initiating a registration request. An attacker could exploit the lack of email validation to create a user account that appears to belong to a whitelisted domain, thereby bypassing administrative controls."}}}}, "created": "2026-04-28T08:45:26.978036+00:00", "updated": "2026-04-28T15:00:14.483515+00:00", "vendors": ["joinmastodon", "joinmastodon$PRODUCT$mastodon"]}