Cyber Resilience

CVE-2026-27468

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 15.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-27468 is a medium-severity Missing Authorization (CWE-862) vulnerability in Joinmastodon Mastodon. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-27468 is a missing authorization vulnerability (CWE-862) in Mastodon, a free, open-source social network server based on ActivityPub. It affects versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, but only on servers that have enabled the experimental FASP (Federated Activity Streaming Protocol) feature by including "fasp" in the EXPERIMENTAL_FEATURES environment variable. The issue arises because FASP registration requires manual administrator approval, but actions performed by a FASP to subscribe to account or content lifecycle events, or to backfill content, fail to properly verify whether the FASP has been approved.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges required (AV:N/AC:L/PR:N). An attacker can initiate subscriptions and content backfill requests without administrator approval. A single exploitation results in a minor information leak of URIs that are publicly available anyway. However, repeated exploitation serves as a serious denial-of-service vector, overwhelming the Sidekiq worker responsible for processing the "fasp" queue and potentially disrupting server operations. The CVSS v3.1 base score is 8.2 (C:L/I:N/A:H).

The Mastodon security advisory (GHSA-qgmm-vr4c-ggjg) and associated fix commit recommend updating to Mastodon 4.4.14 or 4.5.7, which include patches to enforce proper approval checks. Administrators testing the experimental FASP feature should apply these updates immediately. Servers not enabling the "fasp" flag in EXPERIMENTAL_FEATURES are unaffected.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or…

more

to backfill content did not check properly whether the FASP was actually approved. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can make subscriptions and request content backfill without approval by an administrator. Done once, this leads to minor information leak of URIs that are publicly available anyway. But done several times this is a serious vector for DOS, putting pressure on the sidekiq worker responsible for the `fasp` queue. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Missing authorization in public-facing Mastodon FASP feature enables remote unauthenticated exploitation (T1190) and repeated abuse of resource-intensive subscribe/backfill actions to exhaust Sidekiq workers (T1499.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41259Same product: Joinmastodon Mastodon
CVE-2026-22245Same product: Joinmastodon Mastodon
CVE-2026-23962Same product: Joinmastodon Mastodon
CVE-2026-30970Shared CWE-862
CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862

Affected Assets

joinmastodon
mastodon
4.4.0 — 4.4.14 · 4.5.0 — 4.5.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations, directly addressing the missing verification of FASP administrator approval before allowing subscriptions and backfill requests.

prevent

SC-5 protects against denial-of-service events like the resource exhaustion of the Sidekiq fasp queue from repeated unauthorized requests.

prevent

AC-6 enforces least privilege, ensuring FASP-related processes only perform approved actions and mitigating unauthorized subscriptions or backfills.

References