NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.
Metrics
Affected Vendors & Products
References
History
Tue, 07 Jul 2026 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:2.3:a:nodebb:nodebb:4.13.2:*:*:*:*:*:*:* |
Thu, 02 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled. | |
| Title | NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User | |
| First Time appeared |
Nodebb
Nodebb nodebb |
|
| Weaknesses | CWE-290 CWE-345 |
|
| CPEs | cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Nodebb
Nodebb nodebb |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-07-01T19:27:23.367Z
Updated: 2026-07-07T12:50:17.730Z
Reserved: 2026-07-01T17:20:57.549Z
Link: CVE-2026-58593
Updated: 2026-07-02T15:08:38.830Z
No data.
No data.