// vulnerability record
cached · NVD via COSMOS syncCVE-2026-58593
HIGHpublished 2026-07-01 20:17 UTC · 3 days ago · modified 2026-07-02 19:42 UTC
// description
NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.
// weaknesses (CWE)
- CWE-290
- CWE-345