CVE-2026-23962
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23962
EUVD
EUVD-2026-4208
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
joinmastodon mastodon to 4.3.18 (exc)
joinmastodon mastodon From 4.4.0 (inc) to 4.4.12 (exc)
joinmastodon mastodon From 4.5.0 (inc) to 4.5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Mastodon allows attackers to create polls with an excessively large number of options in remote posts because versions before v4.3.18, v4.4.12, and v4.5.5 do not limit the maximum number of poll options. This causes a significant increase in resource consumption on both Mastodon servers and clients, potentially leading to Denial of Service (DoS) conditions. [1]

Impact Analysis

The vulnerability can cause disproportionate resource usage on Mastodon servers and clients, which may result in Denial of Service (DoS). This means the service could become unavailable or unresponsive, disrupting normal operations and access for users. [1]

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Mastodon server to version v4.3.18, v4.4.12, or v4.5.5 or later, as these versions include patches that limit the maximum number of poll options in remote posts, preventing excessive resource consumption and potential Denial of Service. [1]

Compliance Impact

This vulnerability causes a Denial of Service (DoS) by resource exhaustion but does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with standards focused on data protection such as GDPR or HIPAA. However, the availability impact could indirectly affect service reliability obligations under some regulations, but no specific compliance impact is detailed. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart