CVE-2026-41259 HIGH

CVE-2026-41259: Mastodon: Insufficient verification of email addresses

Vendor Mastodon
Product mastodon
Weakness CWE-841
Published April 23, 2026
Last update April 23, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.

Key dates

02Disclosure timeline

April 23, 2026 CVE published
April 23, 2026 Record updated