Volerion logoVolerion
Volerion logoVolerion

Mastodon Remote User Suspension Bypass Vulnerability

Vulnerability

A logic error in Mastodon, a social network server based on ActivityPub, allows suspended remote users to partially bypass their suspension and have new posts appear in timelines. This vulnerability affects all Mastodon versions, but the bypass of suspension for new posts is specific to versions 4.5.0 through 4.5.4, 4.4.5 through 4.4.11, 4.3.13 through 4.3.17, and 4.2.26 through 4.2.29. The issue arises because the suspension feature does not fully prevent interactions with posts from suspended users, especially if those posts have been boosted.

Impact

The vulnerability allows old posts from suspended users to occasionally appear on timelines. More critically, in the specified versions, it enables suspended users to have new posts delivered to timelines, bypassing the suspension.

Remediation

Users can upgrade to Mastodon versions 4.3.18, 4.4.12, or 4.5.5 to address this vulnerability.

Added: Jan 22, 2026, 2:19 AM
Updated: Jan 22, 2026, 2:19 AM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.6
exploitability
7.0
remediation
0.0
relevance
2.1
threat
0.0
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.