Authorization bypass through user-controlled key in Mastodon - CVE-2026-23964
Published: April 23, 2026
Vulnerability identifier: #VU126991
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-23964
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mastodon
Affected software:
Mastodon
Mastodon
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and modify push notification settings.
The vulnerability exists due to improper access control in the web push subscription update endpoint when handling subscription update requests with a guessed or obtained numeric subscription id. A remote attacker can send a crafted request referencing another user's subscription id to disclose sensitive information and modify push notification settings.
The returned subscription object includes the web push subscription endpoint, and exploitation can disrupt notifications by changing filtering policies and subscribed notification types.
How to mitigate CVE-2026-23964
Install security update from vendor's website.