CVE-2026-23964
📋 TL;DR
This CVE describes an insecure direct object reference vulnerability in Mastodon's web push subscription update endpoint. Authenticated users can tamper with other users' push notification settings by guessing or obtaining subscription IDs, potentially disrupting notifications and leaking subscription endpoints. All Mastodon users with web push subscriptions are affected.
💻 Affected Systems
- Mastodon
📦 What is this software?
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
⚠️ Risk & Real-World Impact
Worst Case
An attacker could systematically disrupt push notifications for multiple users, potentially affecting user engagement and causing service disruption complaints.
Likely Case
Targeted disruption of specific users' push notifications by changing their notification policies and subscribed notification types.
If Mitigated
With proper access controls, only authorized users can modify their own subscription settings, preventing unauthorized changes.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge/guess of subscription IDs, which may be predictable or obtainable through other means.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.5.5, v4.4.12, or v4.3.18
Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4
Restart Required: Yes
Instructions:
1. Backup your Mastodon instance. 2. Update to v4.5.5, v4.4.12, or v4.3.18 using your preferred update method (git pull, package manager, etc.). 3. Run bundle install and yarn install. 4. Run database migrations. 5. Restart Mastodon services.
🔧 Temporary Workarounds
Disable web push notifications
allTemporarily disable web push notifications to prevent exploitation while planning upgrade
# Edit Mastodon configuration to disable web push
# In .env.production, set:
# WEB_PUSH_ENABLED=false
🧯 If You Can't Patch
- Implement WAF rules to detect and block suspicious subscription update requests
- Monitor logs for unusual patterns of subscription update attempts
🔍 How to Verify
Check if Vulnerable:
Check Mastodon version against affected versions. If running version older than v4.5.5, v4.4.12, or v4.3.18, you are vulnerable.Check Version:
cd /path/to/mastodon && git describe --tags 2>/dev/null || cat /opt/mastodon/version.txt 2>/dev/null || echo "Check Mastodon admin interface for version"Verify Fix Applied:
After patching, verify version is v4.5.5, v4.4.12, or v4.3.18 or newer. Test that authenticated users cannot modify other users' push subscription settings.📡 Detection & Monitoring
Log Indicators:
- Multiple failed subscription update attempts from same user
- Subscription updates for user IDs not matching authenticated user
Network Indicators:
- Unusual patterns of PUT requests to /api/web/push_subscriptions/* endpoint
SIEM Query:
source="mastodon.logs" AND (uri_path="/api/web/push_subscriptions/*" AND http_method="PUT") | stats count by src_ip, user_id