Mastodon - Open Redirect
CVE-2026-33868
Verified
Description
Mastodon version < 4.5.8, < 4.4.15, < 4.3.21 is vulnerable to unauthenticated Open Redirect vulnerability (CWE-601) exists in the /web/* route due to improper handling of URL-encoded path segments.
Severity
Medium
CVSS Score
4.3
Exploit Probability
1%
Affected Product
mastodon
Published Date
March 25, 2026
Template Author
theamanrawat
CVE-2026-33868.yaml
id: CVE-2026-33868
info:
name: Mastodon - Open Redirect
author: theamanrawat
severity: medium
description: |
Mastodon version < 4.5.8, < 4.4.15, < 4.3.21 is vulnerable to unauthenticated Open Redirect vulnerability (CWE-601) exists in the /web/* route due to improper handling of URL-encoded path segments.
impact: |
Redirect users to external domain.
remediation: |
Update Mastodon to versions 4.5.8, 4.4.15, 4.3.21.
reference:
- https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6
- https://nvd.nist.gov/vuln/detail/CVE-2026-33868
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
cvss-score: 4.3
cve-id: CVE-2026-33868
epss-score: 0.00515
epss-percentile: 0.40087
cwe-id: CWE-601
metadata:
verified: true
vendor: mastodon
product: mastodon
shodan-query: html:"mastodon-"
tags: cve,cve2026,mastodon,open-redirect,vuln,unauth
http:
- method: GET
path:
- "{{BaseURL}}/web/%2Finteract.sh:443"
matchers-condition: and
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
- type: status
condition: or
status:
- 302
- 301
# digest: 4a0a004730450221009e45f83594e17bae9beccf5c1757bf0543fc76712241bc8349afed5425b3737a02202256fbef40b9e89ab1e71c04ed151fd8df9c0c5873fa7e503b02d87d386d3911:922c64590222798bb761d5b6d8e729504.3Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE ID:
cve-2026-33868
CWE ID:
cwe-601
Remediation Steps
Update Mastodon to versions 4.5.8, 4.4.15, 4.3.21.