Skip to main content

Canonical CVE-2026-42462

| EUVDEUVD-2026-36127 HIGH
Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)
2026-05-26 https://github.com/fedify-dev/fedify GHSA-9rfg-v8g9-9367
7.0
CVSS 3.1 · Vendor: https://github.com/fedify-dev/fedify
Share

Severity by source

Vendor (https://github.com/fedify-dev/fedify) PRIMARY
7.0 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L

Primary rating from Vendor (https://github.com/fedify-dev/fedify) · only source for this CVE.

CVSS VectorVendor: https://github.com/fedify-dev/fedify

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 27, 2026 - 00:03 vuln.today
Analysis Generated
May 27, 2026 - 00:03 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @fedify/fedify (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.2.0.

DescriptionCVE.org

Summary

An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received.

Details

The vulnerability essentially boils down to the signature being on the canonical RDF graph representation of the JSON-LD document, and JSON-LD offering many ways to represent the same graph.

One of the issues is that by taking a signed Activity with an embedded object, an attacker can move the top-level Activity to a @graph property and move the activity's object to the top-level. Such a transformation preserves the signature and changes how the payload is interpreted by pretty much all ActivityPub implementations, making them process the object and ignore the formely-top-level activity. This can be used when the graph contains an embedded activity. In Mastodon, that is the case of { "type": "Undo", "object": { "type": "Announce" } }, but other implementations may sign other activities that can be exploited in the same way.

The @reverse keyword can also be used to change the shape of a JSON-LD document without changing the underlying graph, and could be used in a similar way to reverse an Activity and its object.

Another problematic feature is @included, which can be used to “move” properties outside of the normal tree, effectively making them invisible to most ActivityPub implementations, while, again, preserving the signature. This allows removing statuses or actor properties once a signed Create or Update activity is received.

Given that Fedify have seen no use of @graph, @included or @reverse in ActivityPub payloads and that they are very complex to handle correctly (the only JSON-LD API functions that “normalize” @included and @reverse are flattening and framing, which both lose the root node), a decision to reject them has been made, and it is recommended for users do so as well.

Detection of @graph, @included and @reverse should happen after compacting the incoming activity to an application's context, as aliases can be used for those keywords.

Additionally, after a quick scan of Fedify's source code, I could not verify that JSON-LD documents with a verified Linked Data Signature were compacted against an application's local JSON-LD context. Not doing that allows an attacker to rename aliases to non-standard names and use non-mapped aliases to replace existing values, while still leaving the signature intact. This allows an attacker to essentially replace arbitrary portions of any signed JSON-LD document and completely forge any activity while still passing verification. A similar issue was fixed in Mastodon a few years ago: https://github.com/mastodon/mastodon/pull/17426.

Impact

The impact is difficult to assess as this depends on the types of activities that are actually signed and processed in the wild.

The @included keyword allows “removing” arbitrary attributes, thus allowing replaying Create and Update activities while stripping away any attribute, such as content or metadata, which can lead to integrity and availability issues, although confidentiality issues are unlikely.

The @graph and @reverse keywords allow changing the root activity, which in the case of Mastodon allows sending an Announce from a Undo { Announce }, but might have wider consequences depending on what various servers sign.

The lack of compacting can allow rewriting any activity arbitrarily, thus leading to major integrity, availability, and possibly confidentiality issues (e.g. by replacing an actor's inbox).

AnalysisAI

Here is the multi-source synthesis for CVE-2026-42462:

json
{
  "product_name": "Fedify",
  "summary": "Linked Data Signature forgery in Fedify (the @fedify/fedify ActivityPub server framework) before 2.2.3 lets remote unauthenticated attackers reshape a third-party-signed activity so it is interpreted differently while its signature still verifies. Because the signature covers the canonical RDF graph rather than the JSON-LD serialization, an attacker who has received a signed activity can use JSON-LD keywords (@graph, @reverse, @included) or context-alias tricks to promote, hide, or rewrite fields and have the forged result accepted as authentic. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the GitHub Security Advisory documents the exact restructuring techniques in detail.",
  "technical_context": "Fedify is a TypeScript/JavaScript framework (npm package @fedify/fedify, CPE pkg:npm/@fedify_fedify) for building ActivityPub/fediverse servers, where federated servers authenticate inbound activities using Linked Data Signatures. An LD-Signature is computed over the canonicalized RDF dataset (RDF Dataset Normalization) derived from a JSON-LD document, not over the JSON bytes. The root cause maps to CWE-180 (Incorrect Behavior Order: Validate Before Canonicalize): JSON-LD permits many different document serializations of the same underlying graph, so keywords such as @graph (named graphs), @reverse (reversed relations), and @included (out-of-tree statements) let an attacker move the effective root node or hide properties while the canonical graph — and therefore the signature — stays valid. Compounding this, Fedify did not verifiably compact signed documents against the application's local JSON-LD context before processing, so attacker-chosen aliases and non-mapped terms could relabel or replace values; the same class of flaw was previously fixed in Mastodon (PR #17426).",
  "risk_assessment": "The CVSS 3.1 score is 7.0 (High) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L — network reachable and unauthenticated (PR:N), but high attack complexity (AC:H) because the attacker must already possess a valid third-party-signed activity and craft a structure-preserving transformation, and impact is integrity-centric (I:H) with only low confidentiality and availability impact. No EPSS score was provided in the input and the CVE is not listed in CISA KEV, so there is no signal of widespread automated exploitation; no public exploit code was identified, though the advisory describes the techniques concretely enough to guide an attacker. CONFLICTING SIGNAL: the input 'RCE' tag is inconsistent with both the description and the CVSS impact metrics (C:L/I:H/A:L), which describe signature forgery and activity tampering, not remote code execution — treat the RCE tag as a likely mislabel. Net assessment: a real, integrity-focused priority specifically for operators running Fedify-based fediverse servers, but exploitation is conditional (it needs a pre-existing signed activity to manipulate) rather than a spray-and-pray internet-wide threat.",
  "affected_products": "The affected product is the Fedify ActivityPub framework distributed as the npm package @fedify/fedify (CPE pkg:npm/@fedify_fedify). All versions prior to 2.2.3 are vulnerable, and the issue is fixed in 2.2.3. Details are published in GitHub Security Advisory GHSA-9rfg-v8g9-9367 (https://github.com/fedify-dev/fedify/security/advisories/GHSA-9rfg-v8g9-9367) and the fixed release at https://github.com/fedify-dev/fedify/releases/tag/2.2.3.",
  "remediation": "Vendor-released patch: 2.2.3 (released May 21, 2026) — upgrade @fedify/fedify to 2.2.3 or later, which rejects activities containing @graph, @included, and @reverse and compacts verified documents against the application context. If you cannot upgrade immediately, apply the same controls the vendor recommends: after compacting each incoming signed activity to your application's local JSON-LD context (compacting first is required because aliases can disguise these keywords), reject any document that still contains @graph, @included, or @reverse, and always compact LD-Signature-verified documents against your local context before processing so attacker-renamed aliases and non-mapped terms cannot substitute values. The trade-off of rejecting these keywords is minimal in practice — the vendor observed no legitimate ActivityPub use of @graph, @included, or @reverse — but custom integrations that rely on named graphs would break. See GHSA-9rfg-v8g9-9367 (https://github.com/fedify-dev/fedify/security/advisories/GHSA-9rfg-v8g9-9367) and the release notes at https://github.com/fedify-dev/fedify/releases/tag/2.2.3.",
  "exploit_scenario": "A malicious or compromised fediverse server takes a legitimately signed activity it received over federation — for example Mastodon's Undo wrapping an Announce ({\"type\":\"Undo\",\"object\":{\"type\":\"Announce\"}}) — and rewrites it by moving the top-level Undo into a @graph property and promoting the embedded Announce to the document root. The signature still verifies because the canonical RDF graph is unchanged, so the receiving server processes the standalone Announce and ignores the original Undo, effectively replaying or forging the action. No public proof-of-concept code was identified, but the advisory documents the transformation steps explicitly.",
  "exploitation_conditions": "The attacker must first possess a genuine third-party-signed activity received via federation, and for the @graph/@reverse vector that activity must contain an embedded object or nested activity that can be promoted (the canonical Mastodon example is Undo{Announce}); the @included vector instead requires a signed Create or Update whose attributes can be hidden. No authentication is required against the victim (PR:N) and no user interaction is needed (UI:N). Exploitation is limited by high attack complexity (AC:H): success depends on which specific activity types a given server actually signs and processes, the attacker must craft a JSON-LD restructuring that preserves the canonical graph, and the impact varies by implementation — so this is not unauthenticated remote exploitation against a default configuration, but rather conditional forgery that hinges on obtaining and reshaping a suitable pre-signed activity.",
  "attack_chain": "Receive third-party signed activity → Wrap activity in @graph or hide fields via @included → Canonical RDF graph unchanged so signature stays valid → Relay restructured payload to target inbox → Server processes attacker-controlled forged activity",
  "confidence_notes": "CONFIRMED: fixed version 2.2.3 and the May 21, 2026 release are confirmed by the vendor's GitHub release notes and advisory GHSA-9rfg-v8g9-9367, and the affected range (< 2.2.3) comes directly from the GHSA. INFERRED: authentication and complexity characterizations are taken from the supplied CVSS vector (PR:N, AC:H). UNKNOWN/MISSING: no EPSS score was provided, the CVE is not in CISA KEV, and no public exploit code was identified (the advisory describes the technique but references no PoC); additionally, the 'RCE' input tag is unverified and contradicts the CVSS impact metrics and description, so it should not be relied upon."
}

Two cross-source observations worth flagging beyond the fields: the RCE tag conflicts with every other signal (description, CVSS C:L/I:H/A:L, CWE-180) — this is a signature/integrity bypass, not code execution. And the AC:H + PR:N combination is the key to triage: unauthenticated but gated by the precondition of already holding a valid third-party-signed activity, which makes this a targeted federation-abuse issue rather than a mass-scannable one.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-42462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy