TROYANOSYVIRUS
Voltar para CVEs

CVE-2026-23964

MEDIUM
6.5

Descricao

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

Detalhes CVE

Pontuacao CVSS v3.16.5
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado1/22/2026
Ultima modificacao2/2/2026
Fontenvd
Avistamentos honeypot0

Produtos afetados

joinmastodon:mastodon

Fraquezas (CWE)

CWE-863CWE-639

Referencias

https://github.com/mastodon/mastodon/releases/tag/v4.3.18(security-advisories@github.com)
https://github.com/mastodon/mastodon/releases/tag/v4.4.12(security-advisories@github.com)
https://github.com/mastodon/mastodon/releases/tag/v4.5.5(security-advisories@github.com)
https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.