Vulnerability DatabaseCVE-2026-33868

CVE-2026-33868:
NixOS vulnerability analysis and mitigation

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the /web/* route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (%2F) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

6.1

Score

Published March 27, 2026

Severity MEDIUM

CNA Score 4.3

Affected Technologies

NixOS
Mastodon

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 76.1

Exploitation Probability (EPSS) 0.9

Affected packages and libraries

mastodon
cpe:2.3:a:joinmastodon:mastodon

Sources

Nix
- Nix Severity MEDIUMHas FixAdded at: Apr 02, 2026
VulnCheck NVD++
- Linux Severity MEDIUMHas FixAdded at: Mar 29, 2026
NVD
- Linux Severity MEDIUMHas FixAdded at: Apr 02, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related NixOS vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-2370	HIGH	8.8	GitLab	gitlab	No	Yes	Mar 30, 2026
CVE-2026-33206	HIGH	8.2	NixOS	calibre	No	Yes	Mar 27, 2026
CVE-2026-33868	MEDIUM	6.1	NixOS	mastodon	No	Yes	Mar 27, 2026
CVE-2026-33869	MEDIUM	4.8	NixOS	cpe:2.3:a:joinmastodon:mastodon	No	Yes	Mar 27, 2026
CVE-2026-33205	MEDIUM	4.8	NixOS	cpe:2.3:a:calibre-ebook:calibre	No	Yes	Mar 27, 2026