CVE-2026-23961

CVSS v3.1

5.3

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mastodon versions 4.2.26 through 4.2.29 Mastodon versions 4.3.13 through 4.3.17 Mastodon versions 4.4.5 through 4.4.11 Mastodon versions 4.5.0 through 4.5.4

Description Mastodon is a social network server that allows administrators to suspend users. Logic errors exist that can allow posts from suspended users to appear in timelines, even after suspension. Specifically, known posts from suspended users can appear if they have been boosted. In some cases, previously unknown posts from suspended users can also be processed. In certain versions, suspended users can partially bypass the suspension to post new content.

Recommendations Update to Mastodon version 4.5.5. Update to Mastodon version 4.4.12. Update to Mastodon version 4.3.18.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BIT-MASTODON-2026-23961

CVE-2026-23961

GHSA-5H2F-WG8J-XQWP

Affected Products

Mastodon

CVE-2026-23961

Weakness Enumeration

Related Identifiers

Affected Products

References · 12