What is the CVSS score of CVE-2026-34148?

CVE-2026-34148 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Fedify are affected by CVE-2026-34148?

Fedify's ActivityPub document loader contains an unbounded HTTP redirect vulnerability that allows unauthenticated remote attackers to exhaust server resources through denial of service.. A patch is available.

How to fix or mitigate CVE-2026-34148?

Within 24 hours: Identify all systems running Fedify and document current versions in use. Within 7 days: Upgrade to patched versions (1.9.6, 1.10.5, 2.0.8, or 2.1.1 depending on your current major version branch). Within 30 days: Conduct post-upgrade testing of ActivityPub federation functionality and validate no service disruptions occurred during migration.

Fedify CVE-2026-34148

EUVD-2026-19295 HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-04-06 GitHub_M

GHSA-gm9m-gwc4-hwgp

Denial Of Service Fedify Vocab Runtime

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 25, 2026 - 18:07 vuln.today

cvss_changed

Patch released

Apr 07, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 06, 2026 - 15:30 euvd

EUVD-2026-19295

Analysis Generated

Apr 06, 2026 - 15:30 vuln.today

CVE Published

Apr 06, 2026 - 15:06 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 npm packages depend on @fedify/fedify (2 direct, 0 indirect)
7 npm packages depend on @fedify/vocab-runtime (5 direct, 2 indirect)

Ecosystem-wide dependent count for version 1.10.0 and other introduced versions.

DescriptionGitHub Advisory

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.

AnalysisAI

Unbounded HTTP redirect following in Fedify's ActivityPub document loaders enables resource exhaustion attacks. Remote unauthenticated attackers can trigger denial of service by controlling ActivityPub key or actor URLs that redirect indefinitely, forcing affected servers (Fedify versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1) to make repeated outbound requests from a single inbound request. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker controls remote ActivityPub key URL

Delivery

Server loads URL with document loader

Exploit

Receives redirect response

Execution

Follows redirect without limit

Persist

Repeated requests exhaust server resources

Impact

Denial of service achieved

Access

Attacker controls remote ActivityPub key URL

Delivery

Server loads URL with document loader

Exploit

Receives redirect response

Execution

Follows redirect without limit

Persist

Repeated requests exhaust server resources

Impact

Denial of service achieved

Vulnerability AssessmentAI

Exploitation	Attacker controls a remote ActivityPub key or actor URL. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is moderate to high for internet-facing ActivityPub servers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers a malicious ActivityPub server and creates an actor profile with a crafted publicKey or actor URL pointing to an endpoint under their control. This endpoint returns HTTP 302 redirects in an infinite loop (e.g., A redirects to B, B redirects to A) or a very long chain (hundreds of redirects). …
Remediation	Upgrade Fedify to a patched version immediately based on your current major version branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Fedify and document current versions in use. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50131 HIGH This Week

8.6 Jun 10

Server-Side Request Forgery in the Fedify ActivityPub library (versions 0.11.2 through 2.2.3, with branch-specific cutof

CVE-2026-34148 vulnerability details – vuln.today

Back

Fedify CVE-2026-34148

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code