Unrated severityNVD Advisory· Published Jun 24, 2026

Mastodon: SSRF Bypass via IPv6 Unspecified Address (::)

CVE-2026-46348

Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make Mastodon perform HTTP requests against loopback interfaces, potentially allowing access to otherwise private resources and services. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Mastodon/Mastodonllm-fuzzy
Range: >=4.3.0 <4.3.23 || >=4.4.0 <4.4.17 || >=4.5.0 <4.5.10

Patches

Vulnerability mechanics

References

github.com/mastodon/mastodon/security/advisories/GHSA-crr4-7rm4-8gpwmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000