SB2026042386 - Multiple vulnerabilities in Mastodon



SB2026042386 - Multiple vulnerabilities in Mastodon

Published: April 23, 2026

Security Bulletin ID SB2026042386
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-23961)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass suspension restrictions and cause suspended users' posts to appear in timelines.

The vulnerability exists due to improper access control in suspension handling logic when processing boosted or newly processed posts from suspended remote users. A remote attacker can cause suspended users' posts to be processed and displayed to bypass suspension restrictions and cause suspended users' posts to appear in timelines.

On all affected versions, already-known posts may appear if boosted. Under certain circumstances, previously unknown posts from suspended users can also be processed.


2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-23964)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information and modify push notification settings.

The vulnerability exists due to improper access control in the web push subscription update endpoint when handling subscription update requests with a guessed or obtained numeric subscription id. A remote attacker can send a crafted request referencing another user's subscription id to disclose sensitive information and modify push notification settings.

The returned subscription object includes the web push subscription endpoint, and exploitation can disrupt notifications by changing filtering policies and subscribed notification types.


3) Input validation error (CVE-ID: CVE-2026-23962)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in poll handling for remote posts when processing remote posts containing an excessive number of poll options. A remote attacker can create a remote post with a very large number of poll options to cause a denial of service.

The issue can cause disproportionate resource consumption in both Mastodon servers and clients.


4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-23963)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in list names, filter names, and filter keywords when processing user-supplied values. A remote user can set arbitrarily long names or keywords to cause a denial of service.

A user can also render their own web interface unusable, including by unknowingly approving a malicious API client.


Remediation

Install update from vendor's website.