Login Sign Up

CVE-2026-23962

7.5 HIGH
Denial of Service

📋 TL;DR

Mastodon servers running vulnerable versions allow attackers to create remote posts with unlimited poll options, causing excessive resource consumption. This can lead to denial of service on both servers and clients. All Mastodon instances before patched versions are affected.

💻 Affected Systems

Products:
  • Mastodon
Versions: All versions before v4.3.18, v4.4.12, and v4.5.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both server and client components when processing remote posts with polls.

📦 What is this software?

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server unavailability due to resource exhaustion, affecting all users and potentially causing cascading failures in federated networks.

🟠

Likely Case

Degraded server performance, increased response times, and potential service interruptions during attack periods.

🟢

If Mitigated

Minimal impact with proper rate limiting and monitoring in place, though still vulnerable to targeted attacks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires creating or interacting with remote posts containing polls with excessive options.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.5.5, v4.4.12, or v4.3.18

Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g

Restart Required: Yes

Instructions:

1. Backup your Mastodon instance. 2. Update to v4.5.5, v4.4.12, or v4.3.18 using your package manager or git. 3. Run bundle install and yarn install. 4. Run database migrations. 5. Restart Mastodon services.

🔧 Temporary Workarounds

Rate limit poll creation

all

Implement application-level rate limiting for poll creation endpoints

Configure rate limiting in nginx/apache or application firewall

Block suspicious remote instances

all

Temporarily block instances sending posts with excessive poll options

Use Mastodon admin interface to block domains

🧯 If You Can't Patch

  • Implement strict rate limiting on poll creation endpoints
  • Monitor for unusual poll activity and block offending instances

🔍 How to Verify

Check if Vulnerable:

Check Mastodon version against affected versions

Check Version:

grep VERSION /opt/mastodon/.env.production or check admin interface

Verify Fix Applied:

Confirm version is v4.5.5, v4.4.12, or v4.3.18 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusually large poll creation requests
  • Spike in memory/CPU usage
  • Timeout errors on poll endpoints

Network Indicators:

  • High volume of POST requests to poll endpoints
  • Large payloads to /api/v1/polls

SIEM Query:

source="mastodon.logs" AND ("poll" AND "options") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2026-23962
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
EPSS Score: 0.06% exploit probability (17.8th percentile)
Published: January 22, 2026
Last Updated: February 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23962, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)