Mastodon has a denial of service for quote authorization

4.8 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Description

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.

Basic Information

ID CVE-2026-33869

Source GitHub_M

Published Mar 27, 2026 at 19:52

Modified Mar 27, 2026 at 20:29

Affected Product

Vendor mastodon

Product mastodon

Version >= 4.5.0, < 4.5.8

Affected Versions mastodon mastodon >= 4.5.0, < 4.5.8
mastodon mastodon >= 4.4.0, < 4.4.15

CWE Classification

CWE-863

References

github.com /mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33

{
    "lastseen": "",
    "description": "Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.",
    "published": "2026-03-27T19:52:21.166Z",
    "modified": "2026-03-27T20:29:18.521Z",
    "type": "cve",
    "title": "Mastodon has a denial of service for quote authorization",
    "source": "GitHub_M",
    "references": "https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33",
    "id": "CVE-2026-33869",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "mastodon mastodon >= 4.5.0, < 4.5.8\nmastodon mastodon >= 4.4.0, < 4.4.15",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mastodon",
    "version": ">= 4.5.0, < 4.5.8",
    "vendor": "mastodon",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Mastodon has a denial of service for quote authorization_CVE-2026-33869