mastodon

v4.4.18 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 13h Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

activity-stream activitypub docker fediverse mastodon microblog

+3 more

social-network social-web webfinger

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 10h

Mastodon v4.4.18 patches two critical security flaws: attribution domain spoofing and a message‑sanitization crash that triggers Denial of Service.

Why it matters: Both vulnerabilities have severity 90; immediate upgrade is required to prevent spoofing attacks and service outages.

Summary

AI summary

Updates Non-Docker, When using Docker, and https://github.com/mastodon/mastodon/security/advisories/GHSA-rwcw-vq68-g34p across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes attribution domain spoofing vulnerability. Fixes attribution domain spoofing vulnerability. Source: llm_adapter@2026-06-03 Confidence: high	—
Security	Critical	Fixes uncaught exception in message sanitization causing Denial of Service. Fixes uncaught exception in message sanitization causing Denial of Service. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Fixes rejection of remote statuses with large media descriptions. Fixes rejection of remote statuses with large media descriptions. Source: llm_adapter@2026-06-03 Confidence: high	—

Full changelog

[!NOTE]
While we continue to support Mastodon 4.4 and release patches for it, please note that Mastodon 4.5 is available with new features, changes and fixes. We encourage administrators to update to the latest 4.5 version when they can.

Changelog

Security

Fix allowed attribution domains spoofing (GHSA-rwcw-vq68-g34p)
Fix uncaught exception in message sanitization causing Denial of Service (GHSA-qrgq-9fx2-vf2r)
Update dependencies

Fixed

Fix remote statuses with large media descriptions being rejected (#39135 by @ClearlyClaire)

Upgrade notes

To get the code for v4.4.18, use git fetch && git checkout v4.4.18.

[!NOTE]
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Dependencies

External dependencies have not changed since v4.4.1:

Ruby: 3.2 or newer
PostgreSQL: 13 or newer
Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
LibreTranslate (optional, for translations): 1.3.3 or newer
Redis: 6.2 or newer
Node: 20 or newer
libvips (optional, instead of ImageMagick): 8.13 or newer
ImageMagick (optional if using libvips): 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.4.17.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, it is very important to read the 4.4.0 release notes.

Non-Docker

Install dependencies with bundle install
Restart all Mastodon processes.

When using Docker

Restart all Mastodon processes.

Security Fixes

GHSA-rwcw-vq68-g34p — Fix allowed attribution domains spoofing
GHSA-qrgq-9fx2-vf2r — Fix uncaught exception in message sanitization causing Denial of Service

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track mastodon

Get notified when new releases ship.

About mastodon

Your self-hosted, globally interconnected microblogging community

All releases →

Related context

Related tools

Earlier breaking changes

v4.5.10 Requires assets recompilation for upgrade