CVE-2026-58593
NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User
Vexday Risk Score
38Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.7EPSS —KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
01 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
NodeBB · NodeBBpublic PoCs found — 1
cve_referencegithub.com/bikini/exploitarium/tree/main/nodebb-activitypub-attributedto-local-uid-spoof-pocunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/bikini/exploitarium/tree/main/nodebb-activitypub-attributedto-local-uid-spoof-pochttps://github.com/NodeBB/NodeBB/blob/v4.13.2/src/activitypub/mocks.jshttps://www.vulncheck.com/advisories/nodebb-activitypub-author-spoofing-via-unvalidated-attributedto-mapped-to-local-user