Unrated severityNVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'
CVE-2026-33868
Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the /web/* route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (%2F) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6mitrex_refsource_CONFIRM
News mentions
12- ISC Stormcast For Friday, May 15th, 2026 https://isc.sans.edu/podcastdetail/9934, (Fri, May 15th)SANS Internet Storm Center · May 15, 2026
- Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege EscalationThe Hacker News · May 14, 2026
- ISC Stormcast For Thursday, May 14th, 2026 https://isc.sans.edu/podcastdetail/9932, (Thu, May 14th)SANS Internet Storm Center · May 14, 2026
- ISC Stormcast For Wednesday, May 13th, 2026 https://isc.sans.edu/podcastdetail/9930, (Wed, May 13th)SANS Internet Storm Center · May 13, 2026
- ISC Stormcast For Tuesday, May 12th, 2026 https://isc.sans.edu/podcastdetail/9928, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- ISC Stormcast For Monday, May 11th, 2026 https://isc.sans.edu/podcastdetail/9926, (Mon, May 11th)SANS Internet Storm Center · May 11, 2026
- Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)SANS Internet Storm Center · May 8, 2026
- ISC Stormcast For Wednesday, May 6th, 2026 https://isc.sans.edu/podcastdetail/9920, (Wed, May 6th)SANS Internet Storm Center · May 6, 2026
- ISC Stormcast For Monday, May 4th, 2026 https://isc.sans.edu/podcastdetail/9916, (Mon, May 4th)SANS Internet Storm Center · May 4, 2026
- Shutdowns, power outages, and conflict: a review of Q1 2026 Internet disruptionsCloudflare Blog · Apr 28, 2026
- It pays to be a forever studentCisco Talos Intelligence · Apr 23, 2026
- Risky Business #834 -- Vercel gets owned, Mozilla dumps hundreds of Mythos bugsRisky Business · Apr 22, 2026