BIT-mastodon-2026-46349: Mastodon: LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Mastodon versions prior to 4.5.10, 4.4.17, and 4.3.23 have a vulnerability in the normalization of incoming activities signed with Linked-Data Signatures. This flaw allows attackers to rearrange a valid signed JSON-LD activity from a third party so that it is processed differently, potentially bypassing signature validation. The issue is fixed in versions 4.5.10, 4.4.17, and 4.3.23.
AI Analysis
Technical Summary
Mastodon's handling of JSON-LD signed activities did not adequately protect against a spoofing technique where attackers could restructure the named graph in a valid signed JSON-LD activity. This allowed the activity to be interpreted differently than intended, effectively bypassing the Linked-Data Signature verification. The vulnerability affects Mastodon versions prior to 4.5.10, 4.4.17, and 4.3.23 and has been addressed in these fixed versions.
Potential Impact
An attacker can manipulate the structure of a valid signed JSON-LD activity from a third party to have it processed differently by Mastodon, potentially leading to spoofing or unauthorized activity processing. This undermines the integrity of signed activities, which could affect trust and security in federated social network interactions.
Mitigation Recommendations
Upgrade Mastodon to version 4.5.10 or later, or to 4.4.17 or later, or to 4.3.23 or later, as these versions contain the fix for this vulnerability. No other mitigation is indicated.
BIT-mastodon-2026-46349: Mastodon: LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Description
Mastodon versions prior to 4.5.10, 4.4.17, and 4.3.23 have a vulnerability in the normalization of incoming activities signed with Linked-Data Signatures. This flaw allows attackers to rearrange a valid signed JSON-LD activity from a third party so that it is processed differently, potentially bypassing signature validation. The issue is fixed in versions 4.5.10, 4.4.17, and 4.3.23.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mastodon's handling of JSON-LD signed activities did not adequately protect against a spoofing technique where attackers could restructure the named graph in a valid signed JSON-LD activity. This allowed the activity to be interpreted differently than intended, effectively bypassing the Linked-Data Signature verification. The vulnerability affects Mastodon versions prior to 4.5.10, 4.4.17, and 4.3.23 and has been addressed in these fixed versions.
Potential Impact
An attacker can manipulate the structure of a valid signed JSON-LD activity from a third party to have it processed differently by Mastodon, potentially leading to spoofing or unauthorized activity processing. This undermines the integrity of signed activities, which could affect trust and security in federated social network interactions.
Mitigation Recommendations
Upgrade Mastodon to version 4.5.10 or later, or to 4.4.17 or later, or to 4.3.23 or later, as these versions contain the fix for this vulnerability. No other mitigation is indicated.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- BIT-mastodon-2026-46349
- Osv Schema Version
- 1.6.2
- Aliases
- ["CVE-2026-46349"]
- Ecosystems
- ["Bitnami"]
- Database Specific Severity
- Medium
- Cvss Version
- null
Threat ID: 6a4c347427e9c79719603aa0
Added to database: 07/06/2026, 23:04:20 UTC
Last enriched: 07/06/2026, 23:37:22 UTC
Last updated: 07/06/2026, 23:40:48 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.