Cyber Posture

CVE-2026-27468

High

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0006 19.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27468 is a high-severity Missing Authorization (CWE-862) vulnerability in Joinmastodon Mastodon. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

AC-3 requires enforcement of approved authorizations, directly addressing the missing verification of FASP administrator approval before allowing subscriptions and backfill requests.

SC-5 Denial-of-service Protection partial match
prevent

SC-5 protects against denial-of-service events like the resource exhaustion of the Sidekiq fasp queue from repeated unauthorized requests.

AC-6 Least Privilege partial match
prevent

AC-6 enforces least privilege, ensuring FASP-related processes only perform approved actions and mitigating unauthorized subscriptions or backfills.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
attack.mitre.org →
Why these techniques?

Missing authorization in public-facing Mastodon FASP feature enables remote unauthenticated exploitation (T1190) and repeated abuse of resource-intensive subscribe/backfill actions to exhaust Sidekiq workers (T1499.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or…

more

to backfill content did not check properly whether the FASP was actually approved. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can make subscriptions and request content backfill without approval by an administrator. Done once, this leads to minor information leak of URIs that are publicly available anyway. But done several times this is a serious vector for DOS, putting pressure on the sidekiq worker responsible for the `fasp` queue. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.

Deeper analysisAI

CVE-2026-27468 is a missing authorization vulnerability (CWE-862) in Mastodon, a free, open-source social network server based on ActivityPub. It affects versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, but only on servers that have enabled the experimental FASP (Federated Activity Streaming Protocol) feature by including "fasp" in the EXPERIMENTAL_FEATURES environment variable. The issue arises because FASP registration requires manual administrator approval, but actions performed by a FASP to subscribe to account or content lifecycle events, or to backfill content, fail to properly verify whether the FASP has been approved.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges required (AV:N/AC:L/PR:N). An attacker can initiate subscriptions and content backfill requests without administrator approval. A single exploitation results in a minor information leak of URIs that are publicly available anyway. However, repeated exploitation serves as a serious denial-of-service vector, overwhelming the Sidekiq worker responsible for processing the "fasp" queue and potentially disrupting server operations. The CVSS v3.1 base score is 8.2 (C:L/I:N/A:H).

The Mastodon security advisory (GHSA-qgmm-vr4c-ggjg) and associated fix commit recommend updating to Mastodon 4.4.14 or 4.5.7, which include patches to enforce proper approval checks. Administrators testing the experimental FASP feature should apply these updates immediately. Servers not enabling the "fasp" flag in EXPERIMENTAL_FEATURES are unaffected.

Details

CWE(s)
CWE-862

Affected Products

joinmastodon
mastodon
4.4.0 — 4.4.14 · 4.5.0 — 4.5.7

CVEs Like This One

CVE-2026-41259Same product: Joinmastodon Mastodon
CVE-2026-22245Same product: Joinmastodon Mastodon
CVE-2026-23962Same product: Joinmastodon Mastodon
CVE-2026-30970Shared CWE-862
CVE-2025-67974Shared CWE-862
CVE-2026-28254Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2025-69297Shared CWE-862
CVE-2025-69186Shared CWE-862
CVE-2026-25456Shared CWE-862

References