CVE-2026-41259
Published: 23 April 2026
Summary
CVE-2026-41259 is a high-severity Improper Enforcement of Behavioral Workflow (CWE-841) vulnerability in Joinmastodon Mastodon. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-8 (Identification and Authentication (Non-organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of email address inputs during sign-up to ensure they conform to expected formats and prevent bypass of domain restrictions via specially crafted characters.
Mandates automated account management processes that enforce domain-based restrictions on new user account creation, mitigating unauthorized registrations.
Establishes identification and authentication requirements for non-organizational users, including validation of identifiers like email addresses to block invalid sign-ups.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exists in the public-facing Mastodon server and is exploitable remotely by unauthenticated attackers during the sign-up process to bypass email domain restrictions and create unauthorized accounts.
NVD Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters…
more
that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.
Deeper analysisAI
CVE-2026-41259 is a vulnerability in Mastodon, a free, open-source social network server based on ActivityPub. It affects versions prior to 4.5.9, 4.4.16, and 4.3.22. Mastodon supports restricting new user sign-ups based on email domain names and includes basic email address validation, but it does not restrict certain characters that some mailing servers interpret differently. This flaw, rated CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and mapped to CWE-841, enables improper enforcement of email domain restrictions.
Unauthenticated remote attackers can exploit this during the sign-up process by submitting email addresses with specially crafted characters. These characters may be normalized or altered by certain mail servers, allowing attackers to bypass intended domain-based restrictions such as blacklists or whitelists. Successful exploitation results in unauthorized account creation, compromising the integrity of access controls on affected Mastodon instances.
The official Mastodon security advisory (GHSA-5r37-qpwq-2jhh) at https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh confirms the issue and states that it is fixed in versions 4.5.9, 4.4.16, and 4.3.22. Security practitioners should prioritize upgrading to these patched releases to mitigate the vulnerability.
Details
- CWE(s)