CVE-2026-58593
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
A vulnerability in NodeBB allows a remote attacker to impersonate any local user, including the administrator, by forging posts and private messages via the ActivityPub protocol. The issue stems from missing validation that the authenticated remote actor matches the claimed author of the ActivityPub object.
Risk Assessment
An attacker can assume the identity of any user (including admin) to publish content or send private messages under their name, compromising data integrity, user trust, and enabling social engineering attacks.
Recommendation
Immediately update NodeBB to a version containing the fix that enforces verification of the attributedTo attribute against the authenticated actor. If an update is not possible, consider temporarily disabling the ActivityPub/federation feature.
Original NVD description (English source)
NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.

