CVE-2026-33869
Mastodon has a denial of service for quote authorization
4.8
MEDIUM
CVSS 3.1
EPSS 0.08%
Description
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.
How to fix CVE-2026-33869
To remediate CVE-2026-33869, upgrade the affected package to a fixed version below.
- —upgrade to 4.4.15 or later
Is CVE-2026-33869 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.4.0, < 4.4.15, >= 4.5.0, < 4.5.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L |