← back
CVE-2026-50128

Mastodon: Spoofing of attribution domains

CVSS 5.3 MEDIUMEPSS 0.1%CWE-354
Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon’s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
mastodon · mastodon
public PoCs found1
cve_referencegithub.com/gogs/gogs/security/advisories/GHSA-pwx3-qcgw-vh7hunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/gogs/gogs/security/advisories/GHSA-pwx3-qcgw-vh7hhttps://github.com/mastodon/mastodon/security/advisories/GHSA-rwcw-vq68-g34p