{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-06T18:40:56.383","vulnerabilities":[{"cve":{"id":"CVE-2026-23964","sourceIdentifier":"security-advisories@github.com","published":"2026-01-22T03:15:46.700","lastModified":"2026-02-02T20:26:10.053","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."},{"lang":"es","value":"Mastodon es un servidor de red social gratuito y de código abierto basado en ActivityPub. Antes de las versiones 4.5.5, 4.4.12 y 4.3.18, una referencia directa a objeto insegura en el endpoint de actualización de suscripción de notificaciones push web permite a cualquier usuario autenticado actualizar la suscripción de notificaciones push de otro usuario adivinando u obteniendo el ID numérico de la suscripción. Esto puede usarse para interrumpir las notificaciones push de otros usuarios y también filtra el endpoint de suscripción de notificaciones push web. Cualquier usuario con una suscripción de notificaciones push web se ve afectado, porque otro usuario autenticado puede manipular la configuración de su suscripción de notificaciones push si puede adivinar u obtener el ID de la suscripción. Esto permite a un atacante interrumpir las notificaciones push cambiando la política (si filtrar notificaciones de usuarios no seguidores o no seguidos) y los tipos de notificación suscritos de sus víctimas. Además, el endpoint devuelve el objeto de suscripción, que incluye el endpoint de notificación push para esta suscripción, pero no su par de claves. Las versiones de Mastodon v4.5.5, v4.4.12, v4.3.18 están parcheadas."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*","versionEndExcluding":"4.3.18","matchCriteriaId":"0ADDA491-E534-4DFB-856F-9D07F38F3A92"},{"vulnerable":true,"criteria":"cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.0","versionEndExcluding":"4.4.12","matchCriteriaId":"9BAA2A25-EE70-4B9F-8848-2CCE9C243077"},{"vulnerable":true,"criteria":"cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.5.5","matchCriteriaId":"71845808-53CF-46D1-9A12-F14F1BAED488"}]}]}],"references":[{"url":"https://github.com/mastodon/mastodon/releases/tag/v4.3.18","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/mastodon/mastodon/releases/tag/v4.4.12","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/mastodon/mastodon/releases/tag/v4.5.5","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}