FKIE_CVE-2026-23964

Vulnerability from fkie_nvd - Published: 2026-01-22 03:15 - Updated: 2026-02-02 20:26
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
References
security-advisories@github.comhttps://github.com/mastodon/mastodon/releases/tag/v4.3.18Release Notes
security-advisories@github.comhttps://github.com/mastodon/mastodon/releases/tag/v4.4.12Release Notes
security-advisories@github.comhttps://github.com/mastodon/mastodon/releases/tag/v4.5.5Release Notes
security-advisories@github.comhttps://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4Vendor Advisory
Impacted products
Vendor Product Version
joinmastodon mastodon *
joinmastodon mastodon *
joinmastodon mastodon *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0ADDA491-E534-4DFB-856F-9D07F38F3A92",
              "versionEndExcluding": "4.3.18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BAA2A25-EE70-4B9F-8848-2CCE9C243077",
              "versionEndExcluding": "4.4.12",
              "versionStartIncluding": "4.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "71845808-53CF-46D1-9A12-F14F1BAED488",
              "versionEndExcluding": "4.5.5",
              "versionStartIncluding": "4.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user\u0027s push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."
    },
    {
      "lang": "es",
      "value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. Antes de las versiones 4.5.5, 4.4.12 y 4.3.18, una referencia directa a objeto insegura en el endpoint de actualizaci\u00f3n de suscripci\u00f3n de notificaciones push web permite a cualquier usuario autenticado actualizar la suscripci\u00f3n de notificaciones push de otro usuario adivinando u obteniendo el ID num\u00e9rico de la suscripci\u00f3n. Esto puede usarse para interrumpir las notificaciones push de otros usuarios y tambi\u00e9n filtra el endpoint de suscripci\u00f3n de notificaciones push web. Cualquier usuario con una suscripci\u00f3n de notificaciones push web se ve afectado, porque otro usuario autenticado puede manipular la configuraci\u00f3n de su suscripci\u00f3n de notificaciones push si puede adivinar u obtener el ID de la suscripci\u00f3n. Esto permite a un atacante interrumpir las notificaciones push cambiando la pol\u00edtica (si filtrar notificaciones de usuarios no seguidores o no seguidos) y los tipos de notificaci\u00f3n suscritos de sus v\u00edctimas. Adem\u00e1s, el endpoint devuelve el objeto de suscripci\u00f3n, que incluye el endpoint de notificaci\u00f3n push para esta suscripci\u00f3n, pero no su par de claves. Las versiones de Mastodon v4.5.5, v4.4.12, v4.3.18 est\u00e1n parcheadas."
    }
  ],
  "id": "CVE-2026-23964",
  "lastModified": "2026-02-02T20:26:10.053",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-22T03:15:46.700",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.