CVE-2026-23961
Mastodon may allow a remote suspension bypassMastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
We have discovered 1,372 live websites that are affected by CVE-2026-23961.
Affected Software
| Product | |
| Category | Message Boards |
| Vulnerable Domains | 1,372 live websites (100% of Mastodon install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 68 versions ( 99% of all versions) |
Common Weakness Enumeration
CWE-863 Incorrect AuthorizationDetails
- Published - Jan 22, 2026
- Updated - Jan 22, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-23961 United States | 341 websites |
 France | 429 websites |
 Germany | 271 websites |
 Japan | 93 websites |
 Singapore | 43 websites |
 GB | 25 websites |
 Canada | 21 websites |
 Netherlands | 16 websites |
 Austria | 15 websites |
Website Distribution by TLD
Number of websites using CVE-2026-23961| .com | 160 websites |
| .net | 107 websites |
| .org | 87 websites |
| .de | 41 websites |
| .jp | 30 websites |
| .fr | 27 websites |
| .eu | 26 websites |
| .info | 23 websites |
| .io | 22 websites |
| .nl | 14 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-23961
Top websites that are affected by CVE-2026-23961. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.net | Germany | *** | |
| *********.org | United States | **,*** | |
| *****.social | Germany | **,*** | |
| ********.**********.ca | Canada | **,*** | |
| *********.com | United States | **,*** | |
| ********.art | France | **,*** | |
| ********.xyz | Germany | **,*** | |
| *****.fr | France | **,*** | |
| *****.social | Germany | **,*** | |
| ********.***.org | United States | ***,*** |
FAQ
CVE-2026-23961 is Incorrect Authorization in Mastodon
A total of 1,372 websites have been identified as vulnerable to CVE-2026-23961, based on global website indexing conducted by WebTechSurvey.
The Mastodon is affected by the CVE-2026-23961 vulnerability.
Mastodon versions up to 4.5.5 are vulnerable to CVE-2026-23961.
CVE-2026-23961 is resolved in version 4.5.5 of Mastodon.