Poll Option Overflow Vulnerability in Mastodon by Mastodon
CVE-2026-23962

7.5HIGH

Key Information:

Vendor

Mastodon

Status
Mastodon
Vendor
CVE Published:
22 January 2026

What is CVE-2026-23962?

The Mastodon social network server has a vulnerability that allows attackers to exploit the poll creation feature. Versions prior to v4.3.18, v4.4.12, and v4.5.5 were found to not limit the maximum number of options for polls in remote posts. This oversight permits an attacker to create polls with excessive options, leading to increased resource consumption on both the server and client sides. As a result, this could potentially cause a Denial of Service, overwhelming servers and disrupting client interactions. Users are encouraged to update to the latest patched versions to mitigate this risk.

Affected Version(s)

mastodon < 4.3.18 < 4.3.18

mastodon >= 4.4.0, < 4.4.12 < 4.4.0, 4.4.12

mastodon >= 4.5.0, < 4.5.5 < 4.5.0, 4.5.5

References

https://github.com/mastodon/mastodon/security/advisories/...
x_refsource_CONFIRM
https://github.com/mastodon/mastodon/releases/tag/v4.3.18
x_refsource_MISC
https://github.com/mastodon/mastodon/releases/tag/v4.4.12
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.