CVE-2026-23962

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mastodon/mastodon/releases/tag/v4.3.18	Release Notes
https://github.com/mastodon/mastodon/releases/tag/v4.4.12	Release Notes
https://github.com/mastodon/mastodon/releases/tag/v4.5.5	Release Notes
https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::

History

No history.

Information

Published : 2026-01-22 03:15

Updated : 2026-02-02 20:27

NVD link : CVE-2026-23962

Mitre link : CVE-2026-23962

CVE.ORG link : CVE-2026-23962

JSON object : View

Products Affected

joinmastodon

mastodon

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-23962", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-01-22T03:15:46.400", "references": [{"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."}], "lastModified": "2026-02-02T20:27:51.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0ADDA491-E534-4DFB-856F-9D07F38F3A92", "versionEndExcluding": "4.3.18"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9BAA2A25-EE70-4B9F-8848-2CCE9C243077", "versionEndExcluding": "4.4.12", "versionStartIncluding": "4.4.0"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71845808-53CF-46D1-9A12-F14F1BAED488", "versionEndExcluding": "4.5.5", "versionStartIncluding": "4.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}