CVE-2026-23964
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joinmastodon | mastodon | to 4.3.18 (exc) |
| joinmastodon | mastodon | From 4.4.0 (inc) to 4.4.12 (exc) |
| joinmastodon | mastodon | From 4.5.0 (inc) to 4.5.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23964 is an insecure direct object reference (IDOR) vulnerability in Mastodon's web push subscription update endpoint. It allows any authenticated user to update another user's push notification subscription by guessing or obtaining the numeric subscription ID. This means an attacker can tamper with other users' push notification settings, such as filtering policies and notification types, and can also obtain the push notification endpoint URL associated with the subscription. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to disrupt your push notifications on Mastodon. An attacker who is authenticated can change your push subscription settings, potentially filtering out notifications you would normally receive or altering the types of notifications you get. Additionally, the attacker can obtain your push notification endpoint URL, which may lead to privacy concerns. However, the vulnerability does not expose keypairs or cause availability issues. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring requests to the web push subscription update endpoint for suspicious activity, such as authenticated users attempting to update push subscriptions with numeric subscription IDs that do not belong to them. Network traffic analysis tools or web server logs can be used to identify such unauthorized update attempts. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Mastodon to versions v4.3.18, v4.4.12, or v4.5.5 where the vulnerability has been patched. Until the upgrade is applied, restrict access to the web push subscription update endpoint to trusted users only and monitor for suspicious activity related to push subscription updates. [1]