Improper access control in Mastodon - CVE-2026-23961
Published: April 23, 2026
Vulnerability identifier: #VU126990
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-23961
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mastodon
Affected software:
Mastodon
Mastodon
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass suspension restrictions and cause suspended users' posts to appear in timelines.
The vulnerability exists due to improper access control in suspension handling logic when processing boosted or newly processed posts from suspended remote users. A remote attacker can cause suspended users' posts to be processed and displayed to bypass suspension restrictions and cause suspended users' posts to appear in timelines.
On all affected versions, already-known posts may appear if boosted. Under certain circumstances, previously unknown posts from suspended users can also be processed.
How to mitigate CVE-2026-23961
Install security update from vendor's website.