{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33868", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.678Z", "datePublished": "2026-03-27T19:50:07.687Z", "dateUpdated": "2026-03-27T19:50:07.687Z"}, "containers": {"cna": {"title": "Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": ">= 4.5.0, < 4.5.8", "status": "affected"}, {"version": ">= 4.4.0, < 4.4.15", "status": "affected"}, {"version": "< 4.3.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:50:07.687Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue."}], "source": {"advisory": "GHSA-xqw8-4j56-5hj6", "discovery": "UNKNOWN"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "91507204-15DF-4F1C-A1DC-59F0AD466214", "versionEndExcluding": "4.3.21", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "A37B2AD4-5027-464B-947A-63BDB06C33B8", "versionEndExcluding": "4.4.15", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE32DA85-D71D-4CB8-8216-205780DBBB6A", "versionEndExcluding": "4.5.8", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue."}], "id": "CVE-2026-33868", "lastModified": "2026-03-30T19:14:17.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T20:16:34.333", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.5.0,4.5.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.4.0,4.4.15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.21)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "mastodon", "source": "cna", "vendor": "mastodon"}, "product": "mastodon", "vendor": "joinmastodon"}], "analysis": {"en": {"generated_at": "2026-03-27T21:36:37.648917+00:00", "value": {"mitigation_remediation": ["Update Mastodon to version 4.5.8, 4.4.15, or 4.3.21 or later to apply the official patch."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Open Redirect enabling phishing and credential theft"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Mastodon servers running the Mastodon application. Users of any Mastodon instance that has not updated beyond versions 4.5.8, 4.4.15, or 4.3.21 are at risk.", "description_and_impact": "Mastodon versions prior to 4.5.8, 4.4.15, and 4.3.21 allow attackers to trigger a server\u2011side redirect through the /web/* route by including a URL-encoded slash (%2F). This redirect occurs without authentication and directs users to an arbitrary external domain, creating opportunities for phishing attacks or OAuth credential theft. The underlying flaw is improper path normalization, classified as CWE\u2011601, and can be exploited simply by requesting a crafted GET URL.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates a moderate impact if exploited. No EPSS data is available, so the likelihood of exploitation cannot be quantified from the CVE record. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires only that an attacker can send victims a malicious URL that includes an encoded slash, which is trivial to generate and distribute. Because authentication is not required, every user of a vulnerable instance is a potential target."}}}}, "created": "2026-03-29T20:30:20.903088+00:00", "updated": "2026-03-30T07:59:29.517817+00:00", "vendors": ["joinmastodon", "joinmastodon$PRODUCT$mastodon"]}