CVE-2026-33868

EUVD-2026-16783

27.03.2026, 20:16

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 75%

Affected Products (NVD)

Vendor	Product	Version
joinmastodon	mastodon	𝑥 < 4.3.21
joinmastodon	mastodon	4.4.0 ≤ 𝑥 < 4.4.15
joinmastodon	mastodon	4.5.0 ≤ 𝑥 < 4.5.8

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6