CVE-2026-27477
📋 TL;DR
This vulnerability allows unauthenticated attackers to register FASP accounts with attacker-controlled base URLs that point to internal systems, forcing Mastodon servers to make HTTP(S) requests to internal infrastructure. Only affects Mastodon servers with the experimental FASP feature enabled via the EXPERIMENTAL_FEATURES environment variable. Attackers cannot see response data but can trigger vulnerabilities in internal systems.
💻 Affected Systems
- Mastodon
📦 What is this software?
Mastodon by Joinmastodon
Mastodon by Joinmastodon
⚠️ Risk & Real-World Impact
Worst Case
Attacker triggers critical vulnerabilities in internal systems (SSRF leading to RCE, data exposure, or service disruption) by forcing Mastodon to make requests to internal services.
Likely Case
Attacker performs internal network reconnaissance, triggers minor vulnerabilities in internal services, or causes denial of service to internal systems.
If Mitigated
Limited impact due to network segmentation, internal service hardening, or quick detection of anomalous internal requests.
🎯 Exploit Status
Exploitation requires knowledge of internal network addresses but is straightforward once obtained. No authentication required for registration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.14 and 4.5.7
Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm
Restart Required: Yes
Instructions:
1. Update Mastodon to version 4.4.14 or 4.5.7 or later. 2. Restart Mastodon services. 3. Verify EXPERIMENTAL_FEATURES environment variable still contains required flags.
🔧 Temporary Workarounds
Disable FASP experimental feature
linuxRemove 'fasp' from EXPERIMENTAL_FEATURES environment variable to disable vulnerable functionality
export EXPERIMENTAL_FEATURES=$(echo $EXPERIMENTAL_FEATURES | sed 's/fasp//g')
systemctl restart mastodon
🧯 If You Can't Patch
- Disable FASP experimental feature by removing 'fasp' from EXPERIMENTAL_FEATURES environment variable
- Implement network segmentation to restrict Mastodon server's outbound connections to internal networks
🔍 How to Verify
Check if Vulnerable:
Check if EXPERIMENTAL_FEATURES contains 'fasp' AND Mastodon version is between 4.4.0-4.4.13 or 4.5.0-4.5.6Check Version:
cd /path/to/mastodon && bundle exec rails runner 'puts Mastodon::Version.to_s'Verify Fix Applied:
Verify Mastodon version is 4.4.14+ or 4.5.7+ AND EXPERIMENTAL_FEATURES no longer allows internal URL registration📡 Detection & Monitoring
Log Indicators:
- Unusual FASP registration attempts with internal IP addresses in base_url
- HTTP requests from Mastodon server to internal systems not normally accessed
Network Indicators:
- Outbound HTTP(S) requests from Mastodon server to internal RFC1918 addresses
- Unusual request patterns to internal services
SIEM Query:
source="mastodon.log" AND "fasp" AND "registration" AND ("127.0.0.1" OR "192.168." OR "10." OR "172.16.")