Italy’s National Cybersecurity Agency published a CSIRT alert on April 24 regarding a high-severity vulnerability in Mastodon, tracked as CVE-2026-41259 with a CVSS score of 8.2. The flaw allows attackers to bypass email domain restrictions during user registration. Fixes are available in versions 4.3.22, 4.4.16, and 4.5.9, released on April 15.

The vulnerability stems from inadequate email validation during signup. Mastodon administrators can configure blacklists or whitelists of email domains to control who can register. The basic validation worked, but it didn’t account for certain special characters that mail servers interpret differently. An attacker could craft an email address that passed validation checks, effectively bypassing both domain blacklists and whitelists.

What’s at risk

Based on available information, the vulnerability doesn’t directly compromise data confidentiality or service availability. The issue centers on access control integrity during registration. Admins running closed communities, corporate servers, or instances with strict membership policies could find themselves accepting registrations they intended to block. Blacklisted domains remained exploitable until servers applied the patch.

Patched versions

The fixed versions are 4.3.22, 4.4.16, and 4.5.9, released on April 15. Worth noting: the 4.3.x branch reaches end of support on May 6, giving users on that track an additional reason to update or migrate to a newer branch.