CVE-2026-23964

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23964

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23964.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23964

Aliases

BIT-mastodon-2026-23964
GHSA-f3q8-7vw3-69v4

Published

2026-01-22T01:55:29.904Z

Modified

2026-03-13T04:07:20.941536Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Mastodon has insufficient access control to push notification settings

Details

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23964.json"
}

References

Affected packages

Git / github.com/mastodon/mastodon

Affected ranges

Type

GIT

Repo

https://github.com/mastodon/mastodon

Events

Introduced

Fixed

fa553d848417ffe48f23794f7b798b87eb57477f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.3.18"
        }
    ]
}

Type

GIT

Repo

https://github.com/mastodon/mastodon

Events

Introduced

69e14246b838443985a541e97327494b8d2fdffb

Fixed

cbb10858555d3cbfde24d52859e2d690526c8173

Database specific

{
    "versions": [
        {
            "introduced": "4.4.0"
        },
        {
            "fixed": "4.4.12"
        }
    ]
}

Type

GIT

Repo

https://github.com/mastodon/mastodon

Events

Introduced

26c78392f88afccebb8a88b68bc9994a9ce12648

Fixed

db943c43c8fe834a0db6e87c020783ecf42476a9

Database specific

{
    "versions": [
        {
            "introduced": "4.5.0"
        },
        {
            "fixed": "4.5.5"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.6

v0.7

v0.8

v0.9

v0.9.9

v1.*

v1.0

v1.1

v1.1.1

v1.1.2

v1.2

v1.2.1

v1.2.2

v1.3

v1.3.1

v1.3.2

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4rc1

v1.4rc2

v1.4rc3

v1.4rc4

v1.4rc5

v1.4rc6

v1.5.0

v1.5.0rc1

v1.5.0rc2

v1.5.0rc3

v1.5.1

v1.6.0

v1.6.0rc1

v1.6.0rc2

v1.6.0rc3

v1.6.0rc4

v1.6.0rc5

v1.6.1

v2.*

v2.0.0

v2.0.0rc1

v2.0.0rc2

v2.0.0rc3

v2.0.0rc4

v2.1.0

v2.1.0rc1

v2.1.0rc2

v2.1.0rc3

v2.1.0rc4

v2.1.0rc5

v2.1.0rc6

v2.1.1

v2.1.2

v2.1.3

v2.2.0

v2.2.0rc1

v2.2.0rc2

v2.3.0

v2.3.0rc1

v2.3.0rc2

v2.3.0rc3

v2.3.1

v2.3.1rc1

v2.3.1rc2

v2.3.1rc3

v2.3.2

v2.3.2rc1

v2.3.2rc2

v2.3.2rc3

v2.3.2rc4

v2.3.2rc5

v2.4.0

v2.4.0rc1

v2.4.0rc2

v2.4.0rc3

v2.4.0rc4

v2.4.0rc5

v2.4.1

v2.4.1rc1

v2.4.1rc2

v2.4.1rc3

v2.4.1rc4

v2.4.2

v2.4.2rc1

v2.4.2rc2

v2.4.2rc3

v2.4.3

v2.4.3rc1

v2.4.3rc2

v2.4.3rc3

v2.5.0

v2.5.0rc1

v2.5.0rc2

v2.6.0

v2.6.0rc1

v2.6.0rc2

v2.6.0rc3

v2.6.0rc4

v2.6.1

v2.7.0

v2.7.0rc1

v2.7.0rc2

v2.7.0rc3

v2.7.1

v2.8.0

v2.8.0rc1

v2.8.0rc2

v2.8.0rc3

v2.8.1

v2.8.2

v2.9.0

v2.9.0rc1

v2.9.0rc2

v2.9.1

v2.9.2

v3.*

v3.0.0

v3.0.0rc1

v3.0.0rc2

v3.0.0rc3

v3.0.1

v3.1.0

v3.1.0rc1

v3.1.0rc2

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.2.0

v3.2.0rc1

v3.2.0rc2

v3.3.0

v3.3.0rc1

v3.3.0rc2

v3.3.0rc3

v3.4.0

v3.4.0rc1

v3.4.0rc2

v3.4.1

v3.5.0

v3.5.0rc1

v3.5.0rc2

v3.5.0rc3

v3.5.1

v3.5.2

v3.5.3

v4.*

v4.0.0

v4.0.0rc1

v4.0.0rc2

v4.0.0rc3

v4.0.0rc4

v4.0.1

v4.0.2

v4.1.0

v4.1.0rc1

v4.1.0rc2

v4.1.0rc3

v4.2.0

v4.2.0-beta1

v4.2.0-beta2

v4.2.0-beta3

v4.2.0-rc1

v4.2.0-rc2

v4.3.0

v4.3.0-beta.1

v4.3.0-beta.2

v4.3.0-rc.1

v4.3.1

v4.3.10

v4.3.11

v4.3.12

v4.3.13

v4.3.14

v4.3.15

v4.3.16

v4.3.17

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.3.6

v4.3.7

v4.3.8

v4.3.9

v4.4.0

v4.4.1

v4.4.10

v4.4.11

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

v4.4.7

v4.4.8

v4.4.9

v4.5.0

v4.5.1

v4.5.2

v4.5.3

v4.5.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23964.json"

Git / github.com/tootsuite/mastodon

Affected ranges

Type

GIT

Repo

https://github.com/tootsuite/mastodon

Events

Introduced

Fixed

fa553d848417ffe48f23794f7b798b87eb57477f

Introduced

69e14246b838443985a541e97327494b8d2fdffb

Fixed

cbb10858555d3cbfde24d52859e2d690526c8173

Introduced

26c78392f88afccebb8a88b68bc9994a9ce12648

Fixed

db943c43c8fe834a0db6e87c020783ecf42476a9

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.3.18"
        },
        {
            "introduced": "4.4.0"
        },
        {
            "fixed": "4.4.12"
        },
        {
            "introduced": "4.5.0"
        },
        {
            "fixed": "4.5.5"
        }
    ]
}

Affected versions

v4.*

v4.4.0

v4.4.1

v4.4.10

v4.4.11

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

v4.4.7

v4.4.8

v4.4.9

v4.5.0

v4.5.1

v4.5.2

v4.5.3

v4.5.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23964.json"