CVE-2026-23964

CVSS v3.1

6.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.5.5 Mastodon versions prior to 4.4.12 Mastodon versions prior to 4.3.18

Description Mastodon is a social network server. An insecure direct object reference exists in the web push subscription update endpoint. An authenticated user can update another user's push subscription by obtaining the numeric subscription id. This can disrupt push notifications and reveal the web push subscription endpoint. Any user with a web push subscription is potentially affected, as an attacker can modify their push subscription settings if they can determine the subscription id. This allows an attacker to change the notification policy and subscribed notification types of victims. The endpoint returns the subscription object, including the push notification endpoint, but not the keypair.

Recommendations Update to Mastodon version 4.5.5 or later. Update to Mastodon version 4.4.12 or later. Update to Mastodon version 4.3.18 or later.

Exploit

Fix

IDOR

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639CWE-863

Related Identifiers

BIT-MASTODON-2026-23964

CVE-2026-23964

GHSA-F3Q8-7VW3-69V4

Affected Products

Mastodon

CVE-2026-23964

Weakness Enumeration

Related Identifiers

Affected Products

References · 13