CVE-2026-27477 in Mastodon
Summary
by MITRE • 02/24/2026
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/28/2026
CVE-2026-27477 represents a significant security vulnerability in Mastodon server implementations that affects versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6. This vulnerability specifically targets the Federated ActivityPub Server Protocol (FASP) feature, which operates as an experimental functionality requiring explicit administrator approval through the EXPERIMENTAL_FEATURES environment variable. The flaw resides in the FASP registration process where unauthenticated attackers can manipulate the base_url parameter to include or resolve to local/internal network addresses. This creates a server-side request forgery (SSRF) condition under CWE-918, where the Mastodon server inadvertently makes HTTP(S) requests to internal systems that would normally be protected from external access. The vulnerability operates at the application layer and represents a classic case of insecure direct object reference, as described in CWE-639, where the system fails to properly validate and sanitize user-provided URLs before using them for network communications.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to probe internal network infrastructure and potentially trigger cascading security issues within the target environment. While attackers cannot control the complete URL structure of the requests made, they can influence the prefix portion of the URL, allowing them to target internal services that might be vulnerable to exploitation or that could reveal sensitive information through their responses. The vulnerability particularly affects organizations that have enabled the experimental FASP feature, creating a potential attack surface that could be leveraged to map internal network topology, identify running services, or potentially exploit weaknesses in internal systems that are not properly secured against internal threats. This aligns with ATT&CK technique T1016 for system network configuration discovery and T1104 for multi-stage command and control, as the vulnerability enables reconnaissance and potential lateral movement within the network.
Administrative mitigation requires immediate attention from system operators who have enabled the experimental FASP feature, as the vulnerability can be exploited to create unauthorized communication channels between the Mastodon server and internal systems. The fix implemented in versions 4.4.14 and 4.5.7 addresses the core issue by implementing proper URL validation and sanitization for FASP registration requests, ensuring that only valid external URLs are accepted. Organizations should also consider implementing network segmentation and firewall rules to limit internal server communication, as well as monitoring for unusual outbound requests that might indicate exploitation attempts. The vulnerability demonstrates the importance of validating all user-provided inputs, particularly those used for network communications, and highlights the risks associated with experimental features that may not undergo the same security scrutiny as core functionality. Servers that have not enabled the EXPERIMENTAL_FEATURES flag with fasp are not affected by this vulnerability, making proper configuration management and feature activation controls essential for maintaining security posture.