NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.
Metrics
Affected Vendors & Products
References
History
Wed, 01 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled. | |
| Title | NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User | |
| First Time appeared |
Nodebb
Nodebb nodebb |
|
| Weaknesses | CWE-290 CWE-345 |
|
| CPEs | cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Nodebb
Nodebb nodebb |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-01T19:27:23.367Z
Reserved: 2026-07-01T17:20:57.549Z
Link: CVE-2026-58593
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-02T03:15:16Z