the may 2026 fedi software vulnerability
On May 20, 2026, a critical vulnerability in the ActivityPub protocol was disclosed by security researcher w on their blog. The flaw, present in several federated software implementations, allows remote code execution via specially crafted ActivityPub messages. Affected platforms include Mastodon, Pleroma, and others. Patches have been released for Mastodon versions 4.2.8 and 4.3.0-beta.2, and for Pleroma version 2.6.2. Users are urged to update immediately. The vulnerability was responsibly disclosed and coordinated with maintainers before public release. No active exploits have been reported as of the disclosure date.
// why it matters
Developers must patch their federated software to prevent remote code execution attacks.