CVE-2026-23964

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mastodon/mastodon/releases/tag/v4.3.18	Release Notes
https://github.com/mastodon/mastodon/releases/tag/v4.4.12	Release Notes
https://github.com/mastodon/mastodon/releases/tag/v4.5.5	Release Notes
https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::

History

No history.

Information

Published : 2026-01-22 03:15

Updated : 2026-02-02 20:26

NVD link : CVE-2026-23964

Mitre link : CVE-2026-23964

CVE.ORG link : CVE-2026-23964

JSON object : View

Products Affected

joinmastodon

mastodon

CWE

CWE-863

Incorrect Authorization

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-23964", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-01-22T03:15:46.700", "references": [{"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."}], "lastModified": "2026-02-02T20:26:10.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0ADDA491-E534-4DFB-856F-9D07F38F3A92", "versionEndExcluding": "4.3.18"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9BAA2A25-EE70-4B9F-8848-2CCE9C243077", "versionEndExcluding": "4.4.12", "versionStartIncluding": "4.4.0"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71845808-53CF-46D1-9A12-F14F1BAED488", "versionEndExcluding": "4.5.5", "versionStartIncluding": "4.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}