Description
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Published: 2026-01-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Mastodon's lack of limitation on poll options per remote post allows an attacker to craft a single post with an extremely large number of poll options. The processing of such a post leads to a disproportionate consumption of CPU, memory and network resources on both the server and client sides. The resulting exhaustion can bring the server to a halt or cause client applications to freeze, producing a denial of service. This weakness is identified as CWE‑770, Excessive Resource Consumption.

Affected Systems

The affected product is the Mastodon social networking platform, maintained by JoinMastodon. Versions of Mastodon prior to v4.3.18, v4.4.12 or v4.5.5 are vulnerable. The issue has been resolved in releases v4.3.18, v4.4.12, and v4.5.5 and any subsequent patches. Administrators running those earlier releases should be aware that any remote post containing a large poll list can trigger this behavior.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity of the vulnerability. The EPSS score of < 1% suggests that the likelihood of exploitation at this time is low, and it is not currently listed in the CISA KEV catalog. Nevertheless, the attack vector is remote and can be performed by any user who can submit a post, since no special credentials or elevated privileges are required. An attacker can therefore freely issue a single oversized poll that will consume resources on all clients that receive the post, potentially leading to service disruption for the entire user base.

Generated by OpenCVE AI on April 18, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mastodon to version v4.3.18 or newer (including v4.4.12 and v4.5.5) and apply all subsequent patches.
  • If immediate upgrade is not feasible, restrict or remove the ability for remote posts to include polls with more than a safe threshold of options by configuring the server or applying a custom patch that enforces a hard limit, preventing the excessive resource consumption.
  • Monitor server and client logs for unusually large poll posts and temporarily throttle or reject posts that exceed a defined option count, and consider disabling poll functionality for external accounts until a proper limit can be enforced.

Generated by OpenCVE AI on April 18, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Title Mastodon vulnerable to Denial of Service from a single post (client/server)
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T21:35:41.343Z

Reserved: 2026-01-19T14:49:06.313Z

Link: CVE-2026-23962

cve-icon Vulnrichment

Updated: 2026-01-22T21:35:36.721Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T03:15:46.400

Modified: 2026-02-02T20:27:51.360

Link: CVE-2026-23962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses