Logic Errors in Mastodon Allow Suspended Users’ Posts to Reappear
CVE-2026-23961

5.3MEDIUM

Key Information:

Vendor

Mastodon

Status
Mastodon
Vendor
CVE Published:
22 January 2026

What is CVE-2026-23961?

Mastodon, an open-source social network server based on ActivityPub, has a vulnerability that affects the handling of posts from suspended users. Server administrators can suspend users to prevent their interactions; however, due to certain logic errors, content from these suspended users may still appear in timelines. Known posts from suspended accounts can be revealed if boosted, while under specific circumstances, new posts from these users might bypass restrictions and show up. This issue persists across multiple versions of Mastodon, allowing previously hidden content to surface sporadically. Recent updates in versions v4.5.5, v4.4.12, and v4.3.18 include patches addressing this security flaw.

Affected Version(s)

mastodon < 4.3.18 < 4.3.18

mastodon >= 4.4.0, < 4.4.12 < 4.4.0, 4.4.12

mastodon >= 4.5.0, < 4.5.5 < 4.5.0, 4.5.5

References

https://github.com/mastodon/mastodon/security/advisories/...
x_refsource_CONFIRM
https://github.com/mastodon/mastodon/releases/tag/v4.3.18
x_refsource_MISC
https://github.com/mastodon/mastodon/releases/tag/v4.4.12
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.