OFFSITE.DARK
← Signals

Jul 1, 2026

2 min

Exploitarium

  • nodebb
  • activitypub
  • federated
  • exploitarium

news

NodeBB 4.13.2 ActivityPub attributedTo Local UID Spoof

Signed remote Create(Note) with numeric attributedTo binds to local uid — private chat and public posts appear from spoofed administrator account.

Summary

NodeBB 4.13.2 verifies the top-level ActivityPub actor signature but accepts a numeric Note.attributedTo value as an internal local uid without binding it to the authenticated actor. A remote federated sender can forge private chat messages and public forum posts that appear to originate from uid 1 (commonly the first administrator). This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetNodeBB v4.13.2 with ActivityPub inbox enabled
Primitiveactivitypub.mocks.message() stores object.attributedTo as message.uid without actor equality check
ImpactRemote actor creates stored chat content and public topics attributed to arbitrary local uids.

Attack Chain

Signed remote actor → POST /inbox Create(Note) attributedTo: 1 → assertPrivate → messaging.newRoom(spoofUid) → message stored with fromuid=1

Mitigation

Reject numeric attributedTo values; require ActivityPub actor URIs; assert embedded author matches authenticated top-level actor on all Create paths.

Related Signals

Sources

→ Source