CNNVD-202601-3909 Information

CNNVD ID

CNNVD-202601-3909

Related CVE

CVE-2026-23964

• CNNVD Published: 2026-01-22

Description (Chinese)

Mastodon是Mastodon开源的一款基于ActivityPub的开源社交网络服务器。 Mastodon v4.5.5之前版本、v4.4.12之前版本和v4.3.18之前版本存在安全漏洞，该漏洞源于Web推送订阅更新端点存在不安全的直接对象引用，可能导致推送通知被破坏和信息泄露。

Description (English)

Mastodon is an open-source social network server based on ActivityPub. There is a security loophole in the pre-Mastodon v4.5.5, pre-V4.4.12 and pre-V4.3.18, which stems from the fact that Web pushes to subscribe to an updated endpoint with an unsafe direct object reference, which may lead to the sending notice being compromised and information leaks.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

Mastodon

Published

2026-01-22

Last Modified

2026-02-24

References

https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4

Patch

https://joinmastodon.org/zh