CVE-2026-22245 Joinmastodon — Exploit & Vulnerability Details HIGH

Parameter	Value
CVSS	7.1 (HIGH)
Affected Versions	4.3.0 — 4.5.4
Fixed In	4.2.29
Type	CWE-918 (Server-Side Request Forgery (SSRF))
Vendor	Joinmastodon
Public PoC	No

Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) to avoid the "confused deputy" problem.

The list of disallowed IP address ranges was lacking some IP address ranges that can be used to reach local IP addresses. An attacker can use an IP address in the affected ranges to make Mastodon perform HTTP requests against loopback or local network hosts, potentially allowing access to otherwise private resources and services. This is fixed in Mastodon v4.5.4, v4.4.11, v4.3.17 and v4.2.29.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

High

Complete data modification

Availability

None

No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

Vulnerable Products 4

Configuration	From (including)	Up to (excluding)
Joinmastodon Mastodon cpe:2.3:a:joinmastodon:mastodon::::::::	—	`4.2.29`
Joinmastodon Mastodon cpe:2.3:a:joinmastodon:mastodon::::::::	`4.3.0`	`4.3.17`
Joinmastodon Mastodon cpe:2.3:a:joinmastodon:mastodon::::::::	`4.4.0`	`4.4.11`
Joinmastodon Mastodon cpe:2.3:a:joinmastodon:mastodon::::::::	`4.5.0`	`4.5.4`