CVE-2026-23964 Overview
CVE-2026-23964 is an Insecure Direct Object Reference (IDOR) vulnerability affecting Mastodon, a free, open-source social network server based on ActivityPub. The vulnerability exists in the web push subscription update endpoint, which allows any authenticated user to update another user's push subscription by guessing or obtaining the numeric subscription id.
This flaw enables attackers to disrupt push notifications for other users and exposes the web push subscription endpoint, creating both availability and confidentiality concerns for Mastodon instance operators and users.
Critical Impact
Authenticated attackers can tamper with any user's push notification settings and obtain their push subscription endpoints by exploiting predictable numeric subscription identifiers.
Affected Products
- Mastodon versions prior to 4.5.5
- Mastodon versions prior to 4.4.12
- Mastodon versions prior to 4.3.18
Discovery Timeline
- 2026-01-22 - CVE CVE-2026-23964 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-23964
Vulnerability Analysis
This vulnerability falls under CWE-863 (Incorrect Authorization), specifically manifesting as an Insecure Direct Object Reference (IDOR). The web push subscription update endpoint fails to properly verify that the authenticated user making the request is the actual owner of the subscription being modified.
The attack is network-based and requires low complexity to execute. Any authenticated user on a Mastodon instance can exploit this vulnerability, making it particularly dangerous in multi-user environments. The impact includes both information disclosure (leaking push notification endpoints) and integrity violations (modifying victim subscription settings).
Root Cause
The root cause is improper authorization checking in the web push subscription update endpoint. The application uses numeric subscription IDs as direct object references without validating that the requesting user has ownership of the subscription. This allows horizontal privilege escalation where authenticated users can access and modify resources belonging to other users at the same privilege level.
The subscription IDs appear to be sequential or otherwise predictable, making enumeration attacks feasible. Even without sequential IDs, an attacker who obtains a valid subscription ID through other means can exploit this vulnerability.
Attack Vector
The attack requires authentication to a Mastodon instance but no special privileges beyond that. An attacker can:
- Authenticate to the Mastodon instance as a normal user
- Enumerate or obtain numeric subscription IDs belonging to other users
- Send update requests to the web push subscription endpoint using victim subscription IDs
- Modify the victim's push notification policy (filtering notifications from non-followers or non-followed users)
- Change subscribed notification types to disrupt the victim's notification experience
- Obtain the victim's push notification endpoint URL from the response
The endpoint returns the full subscription object upon modification, which includes the push notification endpoint for the subscription (though not its keypair), enabling further targeted attacks or tracking.
Detection Methods for CVE-2026-23964
Indicators of Compromise
- Unusual patterns of web push subscription update requests from single authenticated sessions
- Sequential or bulk subscription ID access patterns in API logs
- User reports of unexpected push notification behavior changes
- API requests to push subscription endpoints with subscription IDs not owned by the requesting user
Detection Strategies
- Monitor API access logs for subscription update endpoints with anomalous request volumes
- Implement rate limiting on web push subscription modification endpoints
- Analyze user session activity for patterns indicating subscription ID enumeration
- Alert on users accessing subscription IDs outside their normal range
Monitoring Recommendations
- Enable detailed logging for all web push subscription API endpoints
- Set up alerts for failed authorization attempts on subscription resources
- Monitor for bulk API requests targeting the push subscription update endpoint
- Review audit logs regularly for signs of subscription enumeration activity
How to Mitigate CVE-2026-23964
Immediate Actions Required
- Upgrade Mastodon to version 4.5.5, 4.4.12, or 4.3.18 depending on your current version branch
- Review API logs for evidence of exploitation prior to patching
- Notify users if suspicious subscription modification activity is detected
- Consider temporarily disabling web push subscriptions if immediate patching is not possible
Patch Information
Mastodon has released patched versions addressing this vulnerability. Instance administrators should upgrade to the appropriate fixed version based on their current release branch:
- For 4.5.x branch: Upgrade to version 4.5.5
- For 4.4.x branch: Upgrade to version 4.4.12
- For 4.3.x branch: Upgrade to version 4.3.18
For complete details on the vulnerability and remediation, refer to the GitHub Security Advisory GHSA-f3q8-7vw3-69v4.
Workarounds
- Implement web application firewall rules to rate-limit requests to push subscription endpoints
- Add additional monitoring and alerting for subscription modification API calls
- Consider restricting API access to trusted networks during the patching window
- Review and audit existing web push subscriptions for unexpected modifications
# Example: Check current Mastodon version
cd /home/mastodon/live
git describe --tags
# Upgrade to patched version (example for 4.5.x branch)
git fetch origin
git checkout v4.5.5
bundle install
yarn install
RAILS_ENV=production bundle exec rails db:migrate
RAILS_ENV=production bundle exec rails assets:precompile
sudo systemctl restart mastodon-web mastodon-sidekiq mastodon-streaming
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
