CVE-2026-23964

EPSS 0.04%
Veröffentlicht 22.01.2026 01:55:29
Zuletzt bearbeitet 02.02.2026 20:26:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Joinmastodon ≫ Mastodon Version < 4.3.18

Joinmastodon ≫ Mastodon Version >= 4.4.0 < 4.4.12

Joinmastodon ≫ Mastodon Version >= 4.5.0 < 4.5.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.114

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/mastodon/mastodon/releases/tag/v4.3.18

Release Notes

https://github.com/mastodon/mastodon/releases/tag/v4.4.12

Release Notes

https://github.com/mastodon/mastodon/releases/tag/v4.5.5

Release Notes

https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-23964

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23964

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23964

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-23964