CVE-2026-33869 MEDIUM

CVE-2026-33869: Mastodon has a denial of service for quote authorization

Vendor Mastodon
Product mastodon
Weakness CWE-863 · Incorrect authorization
Published March 27, 2026
Last update March 27, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 27, 2026 Record updated