CVE-2026-23964

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.5.5 Mastodon versions prior to 4.4.12 Mastodon versions prior to 4.3.18

Description Mastodon is a social network server. An insecure direct object reference exists in the web push subscription update endpoint. An authenticated user can update another user's push subscription by obtaining the numeric subscription id. This can disrupt push notifications and reveal the web push subscription endpoint. Any user with a web push subscription is potentially affected, as an attacker can modify their push subscription settings if they can determine the subscription id. This allows an attacker to change the notification policy and subscribed notification types of victims. The endpoint returns the subscription object, including the push notification endpoint, but not the keypair.

Recommendations Update to Mastodon version 4.5.5 or later. Update to Mastodon version 4.4.12 or later. Update to Mastodon version 4.3.18 or later.