/Vulnerability Library

Mastodon - Open Redirect

CVE-2026-33868
Verified

Description

Mastodon version < 4.5.8, < 4.4.15, < 4.3.21 is vulnerable to unauthenticated Open Redirect vulnerability (CWE-601) exists in the /web/* route due to improper handling of URL-encoded path segments.

Severity

Medium

CVSS Score

4.3

Exploit Probability

1%

Affected Product

mastodon

Published Date

March 25, 2026

Template Author

theamanrawat

CVE-2026-33868.yaml
id: CVE-2026-33868

info:
  name: Mastodon - Open Redirect
  author: theamanrawat
  severity: medium
  description: |
    Mastodon version < 4.5.8, < 4.4.15, < 4.3.21 is vulnerable to unauthenticated Open Redirect vulnerability (CWE-601) exists in the /web/* route due to improper handling of URL-encoded path segments.
  impact: |
    Redirect users to external domain.
  remediation: |
    Update Mastodon to versions 4.5.8, 4.4.15, 4.3.21.
  reference:
    - https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6
    - https://nvd.nist.gov/vuln/detail/CVE-2026-33868
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
    cvss-score: 4.3
    cve-id: CVE-2026-33868
    epss-score: 0.00515
    epss-percentile: 0.40087
    cwe-id: CWE-601
  metadata:
    verified: true
    vendor: mastodon
    product: mastodon
    shodan-query: html:"mastodon-"
  tags: cve,cve2026,mastodon,open-redirect,vuln,unauth

http:
  - method: GET
    path:
      - "{{BaseURL}}/web/%2Finteract.sh:443"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
        part: header

      - type: status
        condition: or
        status:
          - 302
          - 301
# digest: 4a0a004730450221009e45f83594e17bae9beccf5c1757bf0543fc76712241bc8349afed5425b3737a02202256fbef40b9e89ab1e71c04ed151fd8df9c0c5873fa7e503b02d87d386d3911:922c64590222798bb761d5b6d8e72950
4.3Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE ID:
cve-2026-33868
CWE ID:
cwe-601

References

https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6https://nvd.nist.gov/vuln/detail/CVE-2026-33868

Remediation Steps

Update Mastodon to versions 4.5.8, 4.4.15, 4.3.21.