CVE Tools
Sign in

CVE-2026-22246

Local Mastodon users can enumerate and access severed relationships of every other local user

Published: Jan 8, 2026Updated: Jan 22, 2026 Sources: CVE List NVDCWE-201
NVD MITRE
6.5CVSSMEDIUM
EPSS Score
0.2%
Top 86.7%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4.

CVSS Vector Breakdown

AV:NAC:LPR:LUI:NS:UC:HI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-201

Affected Products

mastodonjoinmastodon
On-prem
Communications / messaging-chat
mastodonmastodon
On-prem
Communications / messaging-chat
joinmastodonoss-projectCommunicationsaka mastodon
mastodonoss-projectCommunicationsaka mastodon/mastodon

Exploitability

Official Patch Available

References

https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076
github.com
https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf
github.com
https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57
github.com
and 1 more references View all →

Timeline

Published
Jan 8, 2026
Last Updated
Jan 22, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-22246 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows