CVE-2026-23961
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-02
Generated
2026-05-06
AI Q&A
2026-01-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23961
EUVD
EUVD-2026-4207
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
joinmastodon mastodon to 4.3.18 (exc)
joinmastodon mastodon From 4.4.0 (inc) to 4.4.12 (exc)
joinmastodon mastodon From 4.5.0 (inc) to 4.5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Mastodon allows suspended remote users to bypass suspension restrictions. Due to logic errors, posts from suspended users can still appear in timelines. Known posts from suspended users may show up if boosted, and under certain conditions, new posts from suspended users can also be processed and displayed. This means that suspension does not fully prevent a remote user from having their posts visible on timelines in affected versions. [2]


How can this vulnerability impact me? :

The impact of this vulnerability is that suspended remote users can partially bypass suspension controls, causing their posts to appear in timelines despite being suspended. This compromises the integrity of the social network's moderation by allowing unauthorized content to be visible. However, confidentiality and availability are not affected. The presence of unauthorized posts can undermine trust in the platform's suspension mechanisms. [2]


What immediate steps should I take to mitigate this vulnerability?

To mitigate CVE-2026-23961, immediately upgrade your Mastodon instance to a patched version: v4.3.18, v4.4.12, or v4.5.5. Before upgrading, back up your databases. After upgrading, restart all Mastodon processes. Follow the upgrade instructions specific to your deployment environment, including asset recompilation if required. These steps will fix the remote user suspension bypass vulnerability and related issues. [1, 3, 4]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart