Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network and unauthenticated (PR:N: attacker uses their own valid remote signature, no local account); AC:H because federation must be enabled and a signature-passing remote actor is required; only integrity is impacted via author forgery, so C:N/A:N.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.
AnalysisAI
Author spoofing in NodeBB's ActivityPub federation allows a remote federated actor to forge posts and private messages attributed to arbitrary local users, including the administrator (uid 1). Because the inbound middleware validates the HTTP-signature actor and the origin of object.id but never binds attributedTo to the authenticated sender, an attacker with a valid remote signature can impersonate any local account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target NodeBB instance to have the ActivityPub/federation feature explicitly enabled - this is the primary gating precondition and is non-default. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H) scores 8.7 and reflects a network-reachable, low-complexity, unauthenticated attack with high integrity impact and no confidentiality or availability impact - consistent with an impersonation/forgery flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up (or controls) a remote ActivityPub actor that can produce a valid HTTP signature, then sends a Create activity to a federation-enabled NodeBB instance with attributedTo set to the bare numeric value 1. NodeBB accepts the value as the local author uid and creates the post or private message as the administrator, letting the attacker publish forged announcements or send DMs that appear to come from staff. … |
| Remediation | Upgrade NodeBB to a release in which inbound ActivityPub processing binds attributedTo to the HTTP-signature-verified remote actor and re-derives (rather than trusts) the local uid; a released patched version could not be independently confirmed from the provided data, so consult the VulnCheck advisory (https://www.vulncheck.com/advisories/nodebb-activitypub-author-spoofing-via-unvalidated-attributedto-mapped-to-local-user) and the NodeBB project for the exact fix version before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit whether ActivityPub federation is enabled on all NodeBB instances; disable it immediately if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in
Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). Rated hi
A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41131
GHSA-8m27-grg5-27vj