PT-2026-54922 · Nodebb · Nodebb
Bikini
·
Published
2026-07-01
·
Updated
2026-07-07
·
CVE-2026-58593
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
NodeBB (affected versions not specified)
Description
NodeBB fails to bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. While the inbound middleware verifies the HTTP-signature actor and the origin of the
object.id, it does not validate that the attributedTo parameter corresponds to the sender. Because the actors.assert() function silently ignores numeric identifiers, a remote actor can set attributedTo to a numeric value, such as 1, causing the system to attribute the post or private message to a local user ID, including the administrator account. This allows a remote attacker to forge posts and direct messages attributed to arbitrary local users. This issue requires the ActivityPub/federation feature to be enabled.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Disable the ActivityPub/federation feature to minimize the risk of exploitation.
Exploit
Authentication Bypass by Spoofing
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nodebb