Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-23961

Good to know:

icon
icon

Date: January 21, 2026

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

Severity Score

Related Resources (6)

https://github.com/mastodon/mastodon/releases/tag/v4.3.18
https://github.com/mastodon/mastodon/releases/tag/v4.5.5
https://github.com/mastodon/mastodon/releases/tag/v4.4.12
https://nvd.nist.gov/vuln/detail/CVE-2026-23961
https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp
https://www.mend.io/vulnerability-database/CVE-2026-23961

Severity Score

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/mastodon/mastodon.git - v4.5.5;https://github.com/mastodon/mastodon.git - v4.4.12;https://github.com/mastodon/mastodon.git - v4.3.18

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us