CVE-2026-23964
中文标题:
(暂无数据)
英文标题:
Mastodon has insufficient access control to push notification settings
漏洞描述
中文描述:
(暂无数据)
英文描述:
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| mastodon | mastodon | < 4.3.18 | - | - |
cpe:2.3:a:mastodon:mastodon:<_4.3.18:*:*:*:*:*:*:*
|
| mastodon | mastodon | >= 4.4.0, < 4.4.12 | - | - |
cpe:2.3:a:mastodon:mastodon:>=_4.4.0,_<_4.4.12:*:*:*:*:*:*:*
|
| mastodon | mastodon | >= 4.5.0, < 4.5.5 | - | - |
cpe:2.3:a:mastodon:mastodon:>=_4.5.0,_<_4.5.5:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
cve.org
cve.org
cve.org
CVSS评分详情
3.1 (cna)
MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2026-23964 |
2026-01-22 03:19:50 | 2026-01-21 22:00:11 |