CVE-2026-47777— Mastodon 输入验证错误漏洞

Mastodon has a consent-check bypass in its remote Collections

Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

对数据真实性的验证不充分

Mastodon 输入验证错误漏洞

Mastodon mastodon是Mastodon组织的社交网络服务软件。 Mastodon存在安全漏洞，该漏洞源于对远程账户同意在远程Collection中展示的检查条件缺失，可能导致攻击者绕过检查并伪造同意，通过伪造用于验证同意的FeatureAuthorization对象，使未授权的账户出现在Collection中。受影响版本为运行主线分支或每日构建且启用了实验性Collections功能的版本。

N/A

N/A