PT-2026-3898 · Mastodon · Mastodon
Welshpixie
·
Published
2026-01-22
·
Updated
2026-02-03
·
CVE-2026-23961
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Mastodon versions 4.2.26 through 4.2.29
Mastodon versions 4.3.13 through 4.3.17
Mastodon versions 4.4.5 through 4.4.11
Mastodon versions 4.5.0 through 4.5.4
Description
Mastodon is a social network server that allows administrators to suspend users. Logic errors exist that can allow posts from suspended users to appear in timelines, even after suspension. Specifically, known posts from suspended users can appear if they have been boosted. In some cases, previously unknown posts from suspended users can also be processed. In certain versions, suspended users can partially bypass the suspension to post new content.
Recommendations
Update to Mastodon version 4.5.5.
Update to Mastodon version 4.4.12.
Update to Mastodon version 4.3.18.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mastodon