PatchSiren cyber security CVE debrief
CVE-2026-47777 mastodon CVE debrief
CVE-2026-47777 is a HIGH severity vulnerability in Mastodon, a free, open-source social network server. An attacker could bypass the check for remote accounts' consent to be featured in a remote Collection, potentially allowing them to fake consent and manipulate Collection items. This vulnerability affects Mastodon servers running the main branch or nightly builds with the experimental 'Collections' feature enabled. The issue has been patched in version 4.6.0-beta.1.
- Vendor
- mastodon
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of Mastodon servers, especially those running the main branch or nightly builds with the experimental 'Collections' feature enabled.
Technical summary
A missing condition in the check for remote accounts' consent to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object to verify consent to be featured in a Collection, making it appear as if an account is allowed to be in a Collection when it is not.
Defensive priority
HIGH
Recommended defensive actions
- Update to version 4.6.0-beta.1 or later
- Disable the experimental 'Collections' feature if not in use
- Monitor for suspicious activity related to Collection items
Evidence notes
The vulnerability is caused by a missing condition in the check for remote accounts' consent to be featured in a remote Collection. This allows an attacker to forge the FeatureAuthorization object and fake consent.
Official resources
CVE-2026-47777 was published on 2026-06-15T18:16:35.287Z and has not been modified since then.