CVE-2026-23964— Mastodon has insufficient access control to push notification settings

Mastodon has insufficient access control to push notification settings

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

授权机制不正确

Mastodon 安全漏洞

Mastodon是Mastodon开源的一款基于ActivityPub的开源社交网络服务器。 Mastodon v4.5.5之前版本、v4.4.12之前版本和v4.3.18之前版本存在安全漏洞，该漏洞源于Web推送订阅更新端点存在不安全的直接对象引用，可能导致推送通知被破坏和信息泄露。

N/A

N/A