Description
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Published: 2026-01-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Suspension bypass allowing content from suspended users to appear
Action: Patch
AI Analysis

Impact

Mastodon allows administrators to suspend remote users so that their content normally disappears from timelines. A logic error in the enforcement of suspension status lets previously known posts reappear when boosted, and in specific release ranges also lets new posts from the suspended user be displayed to all users. This missing‑authorization flaw, identified as CWE‑863, undermines the administrative suspension, potentially exposing sensitive content or misleading audiences.

Affected Systems

All Mastodon instances are vulnerable. Unpatched versions include the full distribution as well as the ranges v4.5.0 through v4.5.4, v4.4.5 through v4.4.11, v4.3.13 through v4.3.17, and v4.2.26 through v4.2.29. Versions v4.5.5, v4.4.12, and v4.3.18 contain the vendor‑issued fix and are not affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS probability is below 1% and the vulnerability is not included in CISA’s KEV catalog, suggesting a low but non‑zero exploitation risk. Attackers could exploit the flaw remotely via normal user actions such as boosting a suspended user’s post or interacting with the public timeline API, with no elevated privileges required.

Generated by OpenCVE AI on April 18, 2026 at 03:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mastodon to the latest patched release (v4.5.5, v4.4.12, or v4.3.18 depending on the major version) to apply the vendor fix.
  • Review and adjust moderation settings to ensure that suspended users cannot have their posts boosted or displayed in other users’ timelines, thereby reinforcing the missing authorization check.
  • Regularly monitor the Mastodon security advisory page for new patches and validate that no new posts from suspended users appear in public timelines as a sanity check.

Generated by OpenCVE AI on April 18, 2026 at 03:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Title Mastodon may allow a remote suspension bypass
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T21:38:52.885Z

Reserved: 2026-01-19T14:49:06.313Z

Link: CVE-2026-23961

cve-icon Vulnrichment

Updated: 2026-01-22T21:38:48.266Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T02:15:52.780

Modified: 2026-02-02T20:29:07.753

Link: CVE-2026-23961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses