BIT-MASTODON-2026-22246 Local Mastodon users can enumerate and access severed relationships of every other local user

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships...

CVE-2024-34535

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header...

BIT-MASTODON-2024-34535

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header...

Mastodon 4.1.x < 4.1.2 LDAP injection

According to its self-reported version number, the version of Mastodon running on the remote host is 2.5.0 prior to 3.5.8 or 4.0.x prior to 4.0.4 or 4.1.x prior to 4.1.2. Therefore, it may be affected by a blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP...

Mastodon 4.0.x < 4.0.4 LDAP injection

According to its self-reported version number, the version of Mastodon running on the remote host is 2.5.0 prior to 3.5.8 or 4.0.x prior to 4.0.4 or 4.1.x prior to 4.1.2. Therefore, it may be affected by a blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP...