CVE-2026-33868

MEDIUM 4.3

Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'

CVSS Score

4.3

EPSS Score

0.9%

EPSS Percentile

75th

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.

CWE	CWE-601
Vendor	mastodon
Product	mastodon
Published	Mar 27, 2026
Last Updated	Mar 31, 2026

Stay Ahead of the Next One

Get instant alerts for mastodon mastodon

Be the first to know when new medium vulnerabilities affecting mastodon mastodon are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

mastodon / mastodon

>= 4.5.0, < 4.5.8 >= 4.4.0, < 4.4.15 < 4.3.21

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mastodon/mastodon/security/advisories/GHSA-xqw8-4j56-5hj6