Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

INFO

Published Date :

2026-01-22T01:55:29.904Z

Last Modified :

2026-01-22T17:02:23.614Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-23964 vulnerability.

Vendors Products
Joinmastodon
  • Mastodon
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23964.

URL Resource
https://github.com/mastodon/mastodon/releases/tag/v4.3.18 cve-icon cve-icon
https://github.com/mastodon/mastodon/releases/tag/v4.4.12 cve-icon cve-icon
https://github.com/mastodon/mastodon/releases/tag/v4.5.5 cve-icon cve-icon
https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact