Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of User Notification Settings and Information Disclosure
Action: Patch
AI Analysis

Impact

Mastodon, a decentralized social network server, contains an insecure direct object reference that permits any authenticated user to alter another user's web push subscription settings when the numeric subscription ID is known. This flaw allows an attacker to disrupt or modify the delivery policy of a victim's push notifications and to leak the subscription endpoint to the attacker. The weakness is rooted in improper access control over the subscription object and is classified under CWE‑639 and CWE‑863.

Affected Systems

Mastodon servers running versions earlier than 4.3.18, 4.4.12, or 4.5.5 are vulnerable. Any user who has a web push subscription is potentially at risk because other authenticated users can guess or obtain subscription identifiers and modify their settings.

Risk and Exploitability

The flaw requires the attacker to be authenticated to the Mastodon instance and to guess or otherwise acquire a subscription ID, so it is not publicly exploitable. The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but the impact can be significant for users relying on push notifications. Given the moderate severity and access requirement, the overall risk for impacted servers is moderate.

Generated by OpenCVE AI on April 18, 2026 at 03:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the patched releases of Mastodon (v4.5.5 or later, or v4.4.12 or v4.3.18) as soon as possible.
  • Ensure that only the owner of a subscription can access the update endpoint, and remove or obfuscate the numeric subscription ID in public contexts to mitigate ID guessing.
  • Enable audit logging and monitor for unauthorized push subscription changes so that anomalous activity can be detected and investigated promptly.

Generated by OpenCVE AI on April 18, 2026 at 03:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
CPEs cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Joinmastodon
Joinmastodon mastodon
Vendors & Products Joinmastodon
Joinmastodon mastodon

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
Title Mastodon has insufficient access control to push notification settings
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Joinmastodon Mastodon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T17:02:23.614Z

Reserved: 2026-01-19T14:49:06.313Z

Link: CVE-2026-23964

cve-icon Vulnrichment

Updated: 2026-01-22T17:02:19.354Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T03:15:46.700

Modified: 2026-02-02T20:26:10.053

Link: CVE-2026-23964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses