Description
NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.
Published: 2026-07-01
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NodeBB's ActivityPub middleware fails to confirm that the attributedTo field matches the authenticated remote actor. This oversight permits a federated actor to assign a bare numeric UID as attributedTo, thus authoring content as a local user including the administrator. An attacker can forge posts and private messages with any local username. The weakness is an improper authentication (CWE-290) and insufficient input validation (CWE-345).

Affected Systems

The vulnerability affects NodeBB installations that have the ActivityPub/federation feature enabled, regardless of version, though references point to a code path present in v4.13.2. Precise affected releases are not enumerated, so all NodeBB deployments with federation enabled should be assessed.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is considered high severity. EPSS is not available, and the CVE is not listed in the CISA KEV catalog. The attack vector is remote and usable by any federated actor; if the attacker can reach the instance, they can send a crafted ActivityPub object to spoof authorship. This provides the attacker with unrestricted ability to post or message on behalf of any local user, which is especially dangerous for administrator accounts.

Generated by OpenCVE AI on July 2, 2026 at 12:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest NodeBB release or patch that validates the attributedTo field against the authenticated actor
  • If an immediate patch cannot be applied, disable the ActivityPub/federation feature until the fix is deployed
  • Continuously monitor logs and content for suspicious posts or messages that appear to originate from local users with unexpected activity

Generated by OpenCVE AI on July 2, 2026 at 12:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
Description NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.
Title NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User
First Time appeared Nodebb
Nodebb nodebb
Weaknesses CWE-290
CWE-345
CPEs cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*
Vendors & Products Nodebb
Nodebb nodebb
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-02T15:08:41.737Z

Reserved: 2026-07-01T17:20:57.549Z

Link: CVE-2026-58593

cve-icon Vulnrichment

Updated: 2026-07-02T15:08:38.830Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T13:00:03Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing

  • CWE-345

    Insufficient Verification of Data Authenticity