CVE-2026-22246
📋 TL;DR
This vulnerability in Mastodon allows any registered local user to access lists of severed relationships (lost followers/followed users) from moderation events without authorization. The leaked information reveals relationship changes but not account names. All Mastodon instances running vulnerable versions are affected.
💻 Affected Systems
- Mastodon
📦 What is this software?
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could systematically enumerate all relationship severance events, potentially mapping social connections and identifying moderation patterns across the platform.
Likely Case
Unauthorized users accessing relationship change data that should be private, violating user privacy expectations regarding moderation actions.
If Mitigated
With proper access controls, only authorized users can view relationship severance data, maintaining privacy of moderation actions.
🎯 Exploit Status
Exploitation requires a registered local user account but no special privileges. The vulnerability is straightforward to exploit once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.3.17, v4.4.11, v4.5.4
Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24
Restart Required: Yes
Instructions:
1. Backup your Mastodon instance. 2. Update to v4.3.17, v4.4.11, or v4.5.4 depending on your current version. 3. Restart the Mastodon services. 4. Verify the fix by checking version and testing access controls.
🔧 Temporary Workarounds
Disable Severed Relationships Notifications
allTemporarily disable the severed relationships notification feature to prevent exploitation.
# Edit Mastodon configuration to disable feature
# Requires code modification or feature flag adjustment
🧯 If You Can't Patch
- Implement strict access controls at network/application layer to limit who can access relationship endpoints
- Monitor for unusual access patterns to relationship severance endpoints and alert on suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Mastodon version: if running 4.3.0-4.3.16, 4.4.0-4.4.10, or 4.5.0-4.5.3, you are vulnerable.Check Version:
RAILS_ENV=production bundle exec rails runner 'puts Mastodon::Version.to_s'Verify Fix Applied:
After patching, verify version is 4.3.17+, 4.4.11+, or 4.5.4+. Test that only authorized users can access severed relationship lists.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /api/v1/severed_relationships endpoints
- Multiple failed authorization attempts for relationship endpoints
Network Indicators:
- Increased requests to relationship API endpoints from single users
- Pattern of enumeration-style requests to relationship endpoints
SIEM Query:
source="mastodon" AND (uri_path="/api/v1/severed_relationships" OR uri_path LIKE "/api/v1/severed_relationships/%") AND user_id NOT IN [authorized_users]🔗 References
- https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076
- https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf
- https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57
- https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24
