VYPR
Unrated severityNVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026

Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'

CVE-2026-33868

Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the /web/* route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (%2F) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Mastodon/Mastodonllm-fuzzy2 versions
    < 4.5.8, < 4.4.15, < 4.3.21+ 1 more
    • (no CPE)range: < 4.5.8, < 4.4.15, < 4.3.21
    • (no CPE)range: >= 4.5.0, < 4.5.8
  • osv-coords
    Range: < 4.3.21

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.