Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 01 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled. | |
| Title | NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User | |
| First Time appeared |
Nodebb
Nodebb nodebb |
|
| Weaknesses | CWE-290 CWE-345 |
|
| CPEs | cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Nodebb
Nodebb nodebb |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-01T19:27:23.367Z
Reserved: 2026-07-01T17:20:57.549Z
Link: CVE-2026-58593
No data.
No data.
No data.
OpenCVE Enrichment
No data.