CVE-2026-22245 HIGH

CVE-2026-22245: Mastodon has SSRF Protection bypass

Vendor Mastodon

Product mastodon

Weakness CWE-918 · SSRF

Published January 8, 2026

Last update January 8, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) to avoid the "confused deputy" problem. The list of disallowed IP address ranges was lacking some IP address ranges that can be used to reach local IP addresses. An attacker can use an IP address in the affected ranges to make Mastodon perform HTTP requests against loopback or local network hosts, potentially allowing access to otherwise private resources and services. This is fixed in Mastodon v4.5.4, v4.4.11, v4.3.17 and v4.2.29.

Key dates

02Disclosure timeline

January 8, 2026 CVE published

January 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-22245 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

Identifiers

CVE CVE-2026-22245

CWE CWE-918

CVSS 7.1 / HIGH

Affected versions

Vendor Mastodon

Product mastodon

Affected < 4.2.29

Vendor Mastodon

Product mastodon

Affected >= 4.3.0-beta.1, < 4.3.17

Vendor Mastodon

Product mastodon

Affected >= 4.4.0-beta.1, < 4.4.11

Vendor Mastodon

Product mastodon

Affected >= 4.5.0-beta.1, < 4.5.4

CVE-2026-22245: Mastodon has SSRF Protection bypass

01Description

02Disclosure timeline

03References

04Related CVE