๐Ÿ” CVE Alert

CVE-2026-58593

HIGH 7.5

NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User

CVSS Score
7.5
EPSS Score
0.2%
EPSS Percentile
8th

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.

CWE CWE-345 CWE-290
Vendor nodebb
Product nodebb
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for nodebb nodebb

Be the first to know when new high vulnerabilities affecting nodebb nodebb are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Affected Versions

NodeBB / NodeBB
4.13.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/bikini/exploitarium/tree/main/nodebb-activitypub-attributedto-local-uid-spoof-poc github.com: https://github.com/NodeBB/NodeBB/blob/v4.13.2/src/activitypub/mocks.js vulncheck.com: https://www.vulncheck.com/advisories/nodebb-activitypub-author-spoofing-via-unvalidated-attributedto-mapped-to-local-user