What is the severity of CVE-2026-22246?

CVE-2026-22246 has a severity rating of MEDIUM with a CVSS base score of 6.5.

CVE-2026-22246 | Medium Vulnerability in joinmastodon mastodon

Q: What is CVE-2026-22246?

A medium-severity vulnerability has been identified in joinmastodon mastodon. It allows any registered local user to access lists of severed relationships, posing a risk to user privacy. Immediate patching is recommended to mitigate the risk.

This vulnerability allows any registered local user to access lists of severed relationships caused by moderation actions in the joinmastodon mastodon software. The vulnerability arises due to insufficient checks in the code that retrieves lost relationships, exposing potentially sensitive information.

The severity of this vulnerability is categorized as medium, with a CVSS score of 6.5. This vulnerability is significant because it impacts user privacy, allowing users to discover relationships lost by others without proper authorization.

Organizations using affected versions should prioritize patching immediately to protect user data and maintain trust.

The vulnerability is not currently known to be actively exploited in the wild, but the potential impact on user privacy necessitates prompt remediation.

Vulnerability Details

The vulnerability in question affects joinmastodon mastodon versions prior to v4.3.17, 4.4.11, and 4.5.4. The CVSS vector string for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a network attack vector with low attack complexity and low privileges required.

The affected versions include those before v4.3.17, as well as versions 4.4.0 to 4.4.11, and 4.5.0 to 4.5.4. The relevant CWE classification for this vulnerability is CWE-201, indicating that it involves exposure of sensitive information.

Technical Analysis

The root cause of this vulnerability lies in the failure of the system to check the ownership of lists of severed relationships before allowing access. This oversight permits any registered user to access sensitive relationship data resulting from moderation actions.

The attack vector is network-based, allowing attackers to exploit this vulnerability remotely. The attack complexity is rated as low, meaning that the exploitation of this vulnerability can be performed with minimal effort, given the low privileges required.

No user interaction is required for exploitation, which increases the risk associated with this vulnerability. The confidentiality impact is high, as it allows unauthorized access to personal relationship data, while the integrity and availability impacts are rated as none.

Risk & Impact Analysis

Risk to organizations includes unauthorized access to sensitive information about user relationships. This vulnerability can lead to a loss of trust among users if their private interactions can be improperly accessed.

The blast radius of this vulnerability is potentially extensive, as any registered user can exploit it to obtain data about all other users affected by moderation actions.

Given the medium severity of this vulnerability and its potential impact on confidentiality, organizations should address this vulnerability in their priority patch cycle.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions prior to vendor patch, specifically versions before 4.3.17, 4.4.0 to 4.4.11, and 4.5.0 to 4.5.4 are affected.

Mitigation & Remediation

Organizations should implement the following mitigation strategies: upgrade to Mastodon versions v4.3.17, v4.4.11, or v4.5.4 to address this vulnerability.

For further security evaluations, consider conducting a comprehensive penetration testing to detect similar vulnerabilities.

Detection Guidance

Log indicators of unauthorized access attempts to severed relationships and monitor for unusual access patterns in user accounts.

Behavioral anomalies such as unexpected downloads of severed relationships lists should be flagged for further investigation.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability lies in its implications for user privacy within social networks.

Organizations should take this incident as a cue to enhance their security measures against similar vulnerabilities in the future.

Security teams must conduct regular assessments to ensure compliance with best practices in data protection. For more information on improving your security posture, refer to our vulnerability management program.

Additionally, organizations can benefit from implementing continuous security testing practices. Explore our guide on penetration testing methodology to better defend against future threats.

Finally, reviewing your incident response plans will ensure your organization is prepared for future incidents. Consider the insights provided in our security testing best practices to enhance your readiness.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-22246: Medium Vulnerability in joinmastodon mastodon