CVE-2026-23961
📋 TL;DR
This CVE describes a logic error in Mastodon's user suspension feature that allows posts from suspended remote users to appear in timelines. All Mastodon versions are affected by occasional display of old posts, while specific versions (v4.5.0-4.5.4, v4.4.5-4.4.11, v4.3.13-4.3.17, v4.2.26-4.2.29) allow partial bypass where suspended users can get new posts through. Server administrators who suspend abusive users are affected.
💻 Affected Systems
- Mastodon
📦 What is this software?
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
⚠️ Risk & Real-World Impact
Worst Case
Suspended malicious users continue spreading harmful content through boosts and new posts, undermining moderation efforts and potentially exposing users to harassment or misinformation.
Likely Case
Some posts from suspended users appear in timelines, reducing effectiveness of moderation and potentially allowing limited content propagation.
If Mitigated
Minimal impact with proper monitoring and quick response to any bypass attempts.
🎯 Exploit Status
Exploitation requires being a remote user who gets suspended, then having posts boosted or creating new posts. No authentication bypass needed beyond the suspension bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.5.5, v4.4.12, v4.3.18
Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp
Restart Required: Yes
Instructions:
1. Backup your Mastodon instance. 2. Update to v4.5.5, v4.4.12, or v4.3.18 depending on your current version. 3. Restart Mastodon services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Manual post removal
allManually monitor and remove any posts from suspended users that appear in timelines
Temporary suspension enhancement
linuxBlock the suspended user's domain at the server level in addition to user suspension
sudo -u mastodon RAILS_ENV=production bin/tootctl domains block DOMAIN_NAME
🧯 If You Can't Patch
- Increase monitoring of timelines for content from suspended users
- Implement additional domain-level blocks for suspended users from problematic instances
🔍 How to Verify
Check if Vulnerable:
Check Mastodon version against affected ranges: v4.5.0-4.5.4, v4.4.5-4.4.11, v4.3.13-4.3.17, v4.2.26-4.2.29Check Version:
cd /home/mastodon/live && RAILS_ENV=production bundle exec rails runner 'puts Mastodon::Version'Verify Fix Applied:
Verify version is v4.5.5, v4.4.12, or v4.3.18 or higher, then test by suspending a test user and checking if their posts appear when boosted📡 Detection & Monitoring
Log Indicators:
- Posts from suspended users appearing in timelines
- Boost activity involving suspended users
Network Indicators:
- ActivityPub interactions with suspended users
SIEM Query:
source="mastodon.log" AND ("suspended" OR "boost") AND "remote_user"