Impact
NodeBB's ActivityPub middleware fails to confirm that the attributedTo field matches the authenticated remote actor. This oversight permits a federated actor to assign a bare numeric UID as attributedTo, thus authoring content as a local user including the administrator. An attacker can forge posts and private messages with any local username. The weakness is an improper authentication (CWE-290) and insufficient input validation (CWE-345).
Affected Systems
The vulnerability affects NodeBB installations that have the ActivityPub/federation feature enabled, regardless of version, though references point to a code path present in v4.13.2. Precise affected releases are not enumerated, so all NodeBB deployments with federation enabled should be assessed.
Risk and Exploitability
With a CVSS score of 8.7 the vulnerability is considered high severity. EPSS is not available, and the CVE is not listed in the CISA KEV catalog. The attack vector is remote and usable by any federated actor; if the attacker can reach the instance, they can send a crafted ActivityPub object to spoof authorship. This provides the attacker with unrestricted ability to post or message on behalf of any local user, which is especially dangerous for administrator accounts.
OpenCVE Enrichment