Skip to main content

NodeBB CVE-2026-58593

| EUVDEUVD-2026-41131 HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-07-01 VulnCheck GHSA-8m27-grg5-27vj
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network and unauthenticated (PR:N: attacker uses their own valid remote signature, no local account); AC:H because federation must be enabled and a signature-passing remote actor is required; only integrity is impacted via author forgery, so C:N/A:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 01, 2026 - 20:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 01, 2026 - 20:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 01, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 01, 2026 - 20:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
Jul 01, 2026 - 20:17 vuln.today

DescriptionCVE.org

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.

AnalysisAI

Author spoofing in NodeBB's ActivityPub federation allows a remote federated actor to forge posts and private messages attributed to arbitrary local users, including the administrator (uid 1). Because the inbound middleware validates the HTTP-signature actor and the origin of object.id but never binds attributedTo to the authenticated sender, an attacker with a valid remote signature can impersonate any local account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control valid remote ActivityPub actor
Delivery
Craft Create object with attributedTo:1
Exploit
Send signed activity to federation inbox
Execution
Middleware verifies signature but not attributedTo
Persist
Post/DM created as administrator uid
Impact
Forged content impersonates local admin

Vulnerability AssessmentAI

Exploitation Requires the target NodeBB instance to have the ActivityPub/federation feature explicitly enabled - this is the primary gating precondition and is non-default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H) scores 8.7 and reflects a network-reachable, low-complexity, unauthenticated attack with high integrity impact and no confidentiality or availability impact - consistent with an impersonation/forgery flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up (or controls) a remote ActivityPub actor that can produce a valid HTTP signature, then sends a Create activity to a federation-enabled NodeBB instance with attributedTo set to the bare numeric value 1. NodeBB accepts the value as the local author uid and creates the post or private message as the administrator, letting the attacker publish forged announcements or send DMs that appear to come from staff. …
Remediation Upgrade NodeBB to a release in which inbound ActivityPub processing binds attributedTo to the HTTP-signature-verified remote actor and re-derives (rather than trusts) the local uid; a released patched version could not be independently confirmed from the provided data, so consult the VulnCheck advisory (https://www.vulncheck.com/advisories/nodebb-activitypub-author-spoofing-via-unvalidated-attributedto-mapped-to-local-user) and the NodeBB project for the exact fix version before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit whether ActivityPub federation is enabled on all NodeBB instances; disable it immediately if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy