{"api_version":"1","generated_at":"2026-04-08T22:41:14+00:00","cve":"CVE-2026-33869","urls":{"html":"https://cve.report/CVE-2026-33869","api":"https://cve.report/api/cve/CVE-2026-33869.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-33869","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-33869"},"summary":{"title":"Mastodon has a denial of service for quote authorization","description":"Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-03-27 20:16:34","updated_at":"2026-03-30 19:12:07"},"problem_types":["CWE-863","CWE-863 CWE-863: Incorrect Authorization"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"4.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":4.8,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L","version":"3.1"}}],"references":[{"url":"https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33","name":"https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33","refsource":"security-advisories@github.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-33869","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33869","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"mastodon","product":"mastodon","version":"affected >= 4.5.0, < 4.5.8","platforms":[]},{"source":"CNA","vendor":"mastodon","product":"mastodon","version":"affected >= 4.4.0, < 4.4.15","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"33869","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"joinmastodon","cpe5":"mastodon","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-33869","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-27T20:29:10.346345Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-27T20:29:18.521Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"mastodon","vendor":"mastodon","versions":[{"status":"affected","version":">= 4.5.0, < 4.5.8"},{"status":"affected","version":">= 4.4.0, < 4.4.15"}]}],"descriptions":[{"lang":"en","value":"Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":4.8,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863: Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-27T19:52:21.166Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33","tags":["x_refsource_CONFIRM"],"url":"https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33"}],"source":{"advisory":"GHSA-q4g8-82c5-9h33","discovery":"UNKNOWN"},"title":"Mastodon has a denial of service for quote authorization"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-33869","datePublished":"2026-03-27T19:52:21.166Z","dateReserved":"2026-03-24T15:10:05.678Z","dateUpdated":"2026-03-27T20:29:18.521Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-27 20:16:34","lastModifiedDate":"2026-03-30 19:12:07","problem_types":["CWE-863","CWE-863 CWE-863: Incorrect Authorization"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.2,"impactScore":2.5}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.0","versionEndExcluding":"4.4.15","matchCriteriaId":"A37B2AD4-5027-464B-947A-63BDB06C33B8"},{"vulnerable":true,"criteria":"cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.5.8","matchCriteriaId":"BE32DA85-D71D-4CB8-8216-205780DBBB6A"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"33869","Ordinal":"1","Title":"Mastodon has a denial of service for quote authorization","CVE":"CVE-2026-33869","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"33869","Ordinal":"1","NoteData":"Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.","Type":"Description","Title":"Mastodon has a denial of service for quote authorization"}]}}}