PT-2026-54922 · Nodebb · Nodebb

Bikini

·

Published

2026-07-01

·

Updated

2026-07-07

·

CVE-2026-58593

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions NodeBB (affected versions not specified)
Description NodeBB fails to bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. While the inbound middleware verifies the HTTP-signature actor and the origin of the object.id, it does not validate that the attributedTo parameter corresponds to the sender. Because the actors.assert() function silently ignores numeric identifiers, a remote actor can set attributedTo to a numeric value, such as 1, causing the system to attribute the post or private message to a local user ID, including the administrator account. This allows a remote attacker to forge posts and direct messages attributed to arbitrary local users. This issue requires the ActivityPub/federation feature to be enabled.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Disable the ActivityPub/federation feature to minimize the risk of exploitation.

Exploit

Authentication Bypass by Spoofing

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58593

Affected Products

Nodebb