CVE-2026-58593
Received Received - Intake

ActivityPub Forgery in NodeBB Leading to User Impersonation

Vulnerability report for CVE-2026-58593, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nodebb nodebb to 4.13.2 (inc)
nodebb nodebb *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58593 is a vulnerability in NodeBB's ActivityPub integration where the system does not properly validate the author of inbound ActivityPub objects. Specifically, the attributedTo field in these objects is not checked to ensure it matches the authenticated remote actor sending the data.

Because of this, a remote attacker can set attributedTo to a numeric value corresponding to a local user ID (such as 1, which might be the administrator), causing posts or private messages to be created as if they were authored by that local user.

This flaw arises because the middleware verifies the HTTP-signature actor and the origin of the object.id but does not validate that attributedTo corresponds to the sender. Additionally, the actors.assert function silently ignores numeric identifiers, allowing this spoofing to occur.

Impact Analysis

This vulnerability allows a remote attacker to forge posts and direct messages attributed to arbitrary local users, including highly privileged accounts such as administrators.

As a result, attackers can impersonate trusted users, potentially spreading misinformation, executing social engineering attacks, or sending malicious content under the guise of legitimate users.

This can undermine trust in the platform, lead to unauthorized actions or communications, and compromise the integrity of the forum or messaging environment.

Detection Guidance

This vulnerability can be detected by monitoring inbound ActivityPub Create(Note) activities for suspicious attributedTo fields that are numeric values rather than valid ActivityPub actor URIs. Specifically, look for inbound signed activities where the attributedTo field is set to a bare numeric value such as '1', which NodeBB incorrectly maps to a local user ID.

Detection can involve inspecting HTTP requests to the NodeBB ActivityPub endpoint for signed Create activities with forged attributedTo values. Network traffic capturing tools like tcpdump or Wireshark can be used to capture these requests.

Example commands to detect suspicious activity might include:

  • Using tcpdump to capture HTTP POST requests to the ActivityPub endpoint (replace <nodebb_host> and <activitypub_path>): tcpdump -A -s 0 'tcp port 80 and host <nodebb_host>' | grep -i 'POST <activitypub_path>'
  • Using curl or similar tools to manually inspect inbound ActivityPub Create activities for attributedTo fields that are numeric.

Additionally, reviewing NodeBB logs for unexpected posts or private messages attributed to local users without corresponding authenticated actors may help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include:

  • Disable the ActivityPub/federation feature in NodeBB if it is not required, to prevent exposure to this vulnerability.
  • Update NodeBB to a patched version that includes validation to ensure the attributedTo field is a valid ActivityPub actor URI and matches the authenticated remote actor, rejecting numeric values.
  • If an update is not immediately possible, implement network-level filtering or application-level checks to block inbound ActivityPub activities with numeric attributedTo values.
  • Monitor logs and audit posts and private messages for suspicious author attributions that do not correspond to authenticated users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58593. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart